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To our families 


Preface 


Homomorphic encryption is a form of encryption that allows specific types of 
computations to be carried out on ciphertext and generate an encrypted result that, 
when decrypted, matches the result of operations performed on the plaintext. 

This is a desirable feature in modern communication system architectures. The 
homomorphic property of various cryptosystems can be used to create secure voting 
systems and private information retrieval schemes and enable widespread use of 
cloud computing by ensuring the confidentiality of processed data. 

This book presents the basic homomorphic encryption techniques and their 
applications. It begins with an introduction of the history of encryption techniques 
from classical ciphers to secret key encryption and public-key encryption, including 
secret key encryption and public-key encryption models. It then provides the defi- 
nition of homomorphic encryption followed by the description of some well-known 
homomorphic encryption schemes, such as the ElGamal and Paillier encryption 
schemes. On the basis of the homomorphic encryption concept, this book further 
introduces the state-of-the-art fully homomorphic encryption concept and describes 
the fully homomorphic encryption schemes over integers. After that, this book 
focuses on three applications of homomorphic encryption techniques. The first 
application introduces an electronic voting scheme on the basis of the ElGamal 
encryption scheme. The second application deals with nearest neighbor queries with 
location privacy on the basis of private information retrieval built on the Paillier 
encryption scheme. The third application discusses private searching on streaming 
data on the basis of fully homomorphic encryption schemes. 

This book is designed to serve as a reference book for undergraduate- or 
graduate-level courses in computer science or mathematics departments, as a 
general introduction suitable for self-study (especially for beginning graduate 
students), and as a reference for students, researchers, and practitioners. 
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Chapter 1 
Introduction 


Abstract Encryption is the process of converting messages, information, or data 
into a form unreadable by anyone except the intended recipient. Encrypted data 
must be decrypted, before it can be read by the recipient. In its earliest form, people 
have been attempting to conceal certain information that they wanted to keep to their 
own possession by substituting parts of the information with symbols, numbers, and 
pictures. Today’s encryption algorithms are divided into two categories: secret key 
and public key. Secret key encryption schemes use the same key (the secret key) to 
encrypt and decrypt a message, and public-key encryption schemes use one key (the 
public key) to encrypt a message and a different key (the private key) to decrypt 
it, and all of today’s encryption algorithms fit within those two categories. This 
chapter introduces the history of encryption techniques from classical ciphers to 
secret key encryption and public-key encryption, including secret key and public- 
key encryption models. It provides some background for homomorphic encryption. 


1.1 Classical Ciphers 


A cipher is a technique for hiding a message, by which letters of the message 
are substituted or transposed to other letters, letter pairs, and even many letters. 
In cryptography, a classical cipher is a type of cipher that was used historically 
but not now. In general, classical ciphers operate on an alphabet of letters (such 
as “A-Z”) and can be implemented by hand or with simple mechanical devices. 
They are the most basic types of ciphers and not very secure, especially after 
new technology was developed. Modern schemes use computers or other digital 
technology and operate on bits and bytes. 

Many classical ciphers were used by well-respected people, such as Julius Caesar 
and Napoleon, who created their own ciphers which were then popularly used. 
Many ciphers had their origins in the military and were used for transporting secret 
messages among people on the same side. 

Classical schemes are often susceptible to ciphertext-only attacks, sometimes 
even without knowledge of the encryption system itself, using tools such as 
frequency analysis. 

Classical ciphers are often divided into substitution ciphers, transposition 
ciphers, and product ciphers as follows: 
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1. Substitution cipher is a method of encryption by which plaintext letters are 
replaced with ciphertext letters, according to an encryption system. The receiver 
decrypts the ciphertexts by performing an inverse substitution. 

2. Transposition cipher is a method of encryption by which the positions held 
by plaintext letters are shifted according to an encryption system, so that the 
ciphertext letters constitute a permutation of the plaintext letters. Mathematically 
a bijective map is used on the letters’ positions to encrypt and an inverse map to 
decrypt. 

3. Product cipher combines a sequence of simple transformations such as trans- 
position ciphers and substitution ciphers. The combination could yield a cipher 
system more powerful than either one alone. 


1.1.1 Substitution Ciphers 


A well-known example of substitution ciphers is the Caesar cipher [14]. The Caesar 
cipher is named after Julius Caesar (July 100 BC—15 March 44 BC), who was a 
Roman general, statesman, and Consul and played a critical role in the events that 
led to the demise of the Roman Republic and the rise of the Roman Empire. Caesar 
was the first recorded use of this cipher. 

To encrypt a message with the Caesar cipher, each letter of message is replaced 
by the letter three positions later in the alphabet. Hence, A is replaced by D, B by 
E, C by F, etc. Finally, X, Y, and Z are replaced by A, B, and C respectively. So, for 
example, “CAESAR” encrypts as “FDHVDU.” Caesar rotated the alphabet by three 
letters, but any number works. When the number of rotations is 19, the plaintext and 
ciphertext alphabets look like: 


Plaintext alphabet: abcde fghijkimnopqrstuvwxyz 
Ciphertext alphabet: t uvwx yzabcdefghijkimnopaqrs 


While the encryption is done by substituting plaintext letters with the correspond- 
ing ciphertext letters, the decryption is done by performing an inverse substitution. 
The encryption and decryption processes can be implemented by a cipher wheel as 
shown in Fig. 1.1, where the plaintext and ciphertext alphabets are on the outer and 
inner wheels, respectively, and the inner wheel is turnable. 

As there are only 25 possible rotations for the alphabet, the Caesar cipher can be 
easily broken by a brute-force attack or exhaustive key search, i.e., systematically 
checking all possible keys until the correct one is found. 

The Caesar cipher is a monoalphabetic substitution cipher, where just one 
ciphertext alphabet is used. It is also possible to have a polyalphabetic substitution 
cipher, where multiple ciphertext alphabets are used. This makes the ciphertext 
much harder to decode because the codebreaker would have to figure out ciphertext 
alphabets used. 
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Fig. 1.1 Caesar cipher wheel 


A typical example of polyalphabetic substitution ciphers is the Vigenere cipher 
[5]. The Vigenere cipher is named after Blaise de Vigenere (5 April 1523-19 Febru- 
ary 1596), who was a French diplomat, cryptographer, translator, and alchemist. 

To encrypt, a table of alphabets, as shown in Fig. 1.2, is used, termed Vigenere 
square, composed of the alphabet written out 26 times in different rows, each alpha- 
bet shifted cyclically to the left compared to the previous alphabet, corresponding 
to the 26 possible Caesar ciphers. 

To use the Vigenere square to encrypt a message, we first choose a keyword 
and then repeat it until it is the same length as the message we wish to encode. 
We then would write the message underneath the repeated keyword to see which 
ciphertext alphabet you would use for each letter of the message. The first letter 
of the message would be encrypted using the ciphertext alphabet that corresponds 
with the first letters of the keyword. For example if we have a keyword of VENUS 
and the message we want to encode is polyalphabetic, this is what we would do: 


Keyword: VENUSVENUSVENU 
Plaintext: pol yalphabetie 
Ciphertext: K S Y SSGTUUTZXVW 


Some substitution ciphers involve using numbers instead of letters. An example 
of this is the Great Cipher [21], where numbers were used to represent syllables. 


1.1.2 Transposition Ciphers 


In a transposition cipher, the letters themselves are kept unchanged, but their order 
within the message is scrambled according to some well-defined scheme. Many 
transposition ciphers are done according to a geometric design. A simplest example 
of transposition ciphers is the Scytale cipher [13]. The Scytale cipher was used by 
the ancient Greeks and Spartans to communicate during their military campaigns. 
It was first mentioned by the Greek poet Archilochus, who lived in the seventh 
century BC. The Scytale cipher involves three pieces of equipment, namely a pen, a 
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Fig. 1.2 Vigenre square 


long strip of paper (leather was used by the Greeks and Spartans), and a cylinder of 


some sort, as shown in Fig. 1.3. 


The long thin strip of paper is then wrapped around the cylinder, going from one 


end to the other. The message 


KILL KING TOMORROW MIDNIGHT 


is then written horizontally on the paper, one letter for each wrap around, going 


from left to right, three letters per column. The cylinder is rotated and the rest of 


the message is written until the message is complete. Once its complete, the strip of 


paper is taken off and the result 


v 
2 
a 
s 
mal 
5 
Nn 
n 
= 
ob 
= 
== 
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KTMIOILMDLONKRIIRGNOHGWT 


is the ciphertext. With this ciphertext, the only way to read the original is to re-wrap 
it around a cylinder of equal width and read the letters from left to right. 

The diameter of the Scytale can be regarded as the key of the cipher. Since the 
key can take a limited positive integer only, the Scytale cipher can be easily broken 
by a brute-force attack. 

Another simple example of transposition ciphers is the columnar cipher [12]. 
It can be performed by hand. First, the message is written out in rows of a fixed 
length, and then read out again column by column, and the columns are chosen 
in some scrambled order. Both the width of the rows and the permutation of 
the columns are usually defined by a keyword. For example, suppose we use the 
keyword GERMAN and the message 


defend the east wall of the castle. 


The encryption process can be illustrated as follows: 


GERMAN AEGMNR 
defend needed f 
theeas|_,jahtese 
twallo Iwt loa 
ftheca ct feah 
stlexx xtsexl 


In the above example, the plaintext has been padded with “xx” so that it 
neatly fits in a rectangle. This is known as a regular columnar transposition. An 
irregular columnar transposition leaves these characters blank, though this makes 
decryption slightly more difficult. The columns are now reordered such that the 
letters in the keyword are ordered alphabetically. The ciphertext is read off along 
the columns, i.e., 


nalcxehwttdttfseeleedsoax feahl 
Many transposition ciphers are similar to these two examples, usually involving 


rearranging the letters into rows or columns and then taking them in a systematic 
way to transpose the letters. 


1.1.3 Product Ciphers 


A product cipher combines two or more transformations in a manner intending 
that the resulting cipher is more secure than the individual components. A typical 
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Fig. 1.4 ADFGVX square 


example of product ciphers is the ADFGVX cipher [12]. The ADFGVX cipher was 
used by the German army during World War I. Invented by Colonel Fritz Nebel and 
introduced in March 1918, the cipher was combined with a substitution cipher and 
a transposition cipher. The cipher is named after the six possible letters used in the 
ciphertext: A, D, F, G, V, and X. These letters were chosen deliberately because they 
sound very different from each other when transmitted via morse code. The intention 
was to reduce the possibility of operator error. 

The ADFGVX cipher used a 6 x 6 matrix to substitution-encrypt the 26 letters 
and 10 digits into pairs of the symbols A, D, F, G, V, and X. The resulting biliteral 
cipher was then written into a rectangular array and route encrypted by reading the 
columns in the order indicated by a keyword. 

The “key” for a ADFGVX cipher is a “key square” and a key word. The key 
square is a 6 by 6 square containing all the letters and the numbers 0-9 as shown in 
Fig. 1.4. The keyword is any word, e.g., GERMAN. 

There are a number of steps involved: 


1. Build a table like that shown in Fig. 1.4 as the key square. This is known as a 
Polybius square. 

2. Encode the plaintext using this matrix; to encode the letter “a,” locate it in the 
matrix and read off the letter on the far left side on the same row, followed by the 
letter at the top in the same column. In this way each plaintext letter is replaced 
by two cipher text letters, e.g., “attack” is encrypted to 


DV XA XA DV VV GX 
The ciphertext is now twice as long as the original plaintext. Note that so far, it 


is just a simple substitution cipher and trivial to break. 
3. Write the keyword with the enciphered plaintext underneath, e.g., 
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GERMAN 
DVX AXA 
DVVVGX 


4. Perform a columnar transposition. Sort the keyword alphabetically, moving the 
columns as you go. Note that the letter pairs that make up each letter get split 
apart during this step; this is called fractionating. 


AEGMNR 
XVDAAX 
GVDV XV 


Read the final ciphertext off in columns. 
XGVVDDAVAXXV 


In the days of manual cryptography, product ciphers were a useful device for 
cryptographers, and in fact double transposition or product ciphers on keyword- 
based rectangular matrices were widely used. There was also some use of a class 
of product ciphers known as fractionation systems, wherein a substitution was first 
made from symbols in the plaintext to multiple symbols (usually pairs, in which case 
the cipher is called a biliteral cipher) in the ciphertext, which was then encrypted by 
a final transposition, known as superencryption. 

The great French cryptanalyst Georges J. Painvin succeeded in cryptanalyzing 
critical ADFGVX ciphers in 1918 [16], with devastating effect for the German army 
at the Second Battle of the Marne. 

Nowadays, most of classical ciphers have become less popular. They were 
frequently used during World War II, but since computer have become available to 
security analysis, their applicability has diminished. However, this does not imply 
that a description of classical ciphers is only of historical interest. These ciphers 
have had a profound impact on today’s information security technology and provide 
an approach for beginners to understand ideas of information security technology. 


1.2 Secret Key Encryption 


1.2.1 Secret Key Encryption Model 


Secret key encryption algorithms are a class of algorithms that use the same secret 
keys for both encryption of plaintext and decryption of ciphertext. The keys may 
be identical or there may be a simple transformation to go between the two keys. 
The keys, in practice, represent a shared secret between two or more parties that can 
be used to maintain a private information link. 
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Plaintext 
s Ciphertext N 
Lima heet 


i as l i Es P ee a al 
Sender D Receiver 
Same Key for Encrypt and Decrypt 


Fig. 1.5 Secret key encryption model 


A first systematic and information-theoretic study of secret key cryptosystem can 
be found in Shannon’s classical paper “Communication Theory of Secrecy Systems” 
[20]. This paper was the first to introduce a secret key encryption model, as shown 
in Fig. 1.5. 

Prior to transmission of a plaintext P, a key source provides both the sender and 
the recipient with a shared key K. This key is used by the sender to encrypt the 
plaintext, obtaining a ciphertext C which is delivered to the receiver and possibly 
intercepted by an enemy eavesdropper. The receiver then uses the key K in order to 
reconstruct the clear plaintext P. 


1.2.2 Data Encryption Standard 


The data encryption standard (DES) is a secret key cryptosystem for the encryption 
of electronic data [19]. It was developed in the early 1970s at IBM and is based on an 
earlier design by Horst Feistel. The algorithm was submitted to the National Bureau 
of Standards (NBS) following the agency’s invitation to propose a candidate for 
the protection of sensitive, unclassified electronic government data. In 1976, after 
consultation with the National Security Agency (NSA), the NBS eventually selected 
a slightly modified version, which was published as an official federal information 
processing standard (FIPS) for the United States in 1977. 

The overall structure of DES is shown in Fig. 1.6. There are 16 identical stages 
of processing, termed rounds. There is also an initial and final permutation, termed 
IP and FP, which are inverses. Before the main rounds, the block is divided into 
two 32-bit halves and processed alternately; this criss-crossing is known as the 
Feistel scheme. The Feistel structure ensures that decryption and encryption are 
very similar processes—the only difference being that the subkeys are applied in 
the reverse order when decrypting. The rest of the algorithm is identical. This greatly 
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| Plaintext | 


|Plaintext|=|Ciphertext|=64 bits 


H } Repeated for 16 rounds 


Ciphertext 


Fig. 1.6 Structure of DES 


simplifies implementation, particularly in hardware, as there is no need for separate 
encryption and decryption algorithms. 

The ® symbol denotes the exclusive-OR (XOR) operation. The F-function 
scrambles half a block together with some of the key. The output from the F-function 
is then combined with the other half of the block, and the halves are swapped before 
the next round. After the final round, the halves are swapped; this is a feature of the 
Feistel structure which makes encryption and decryption similar processes. 

The F-function, depicted in Fig. 1.7, operates on half a block (32 bits) at a time 
and consists of four stages: 


e Expansion—the 32-bit half-block is expanded to 48 bits using the expansion 
permutation, denoted E in the diagram, by duplicating half of the bits. The output 
consists of eight 6-bit (8 x 6 = 48 bits) pieces, each containing a copy of 4 
corresponding input bits, plus a copy of the immediately adjacent bit from each 
of the input pieces to either side. 

e Key mixing—the result is combined with a subkey using an XOR operation. 16 
48-bit subkeys—one for each round—are derived from the main key using the 
key schedule (described below). 
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Half Block (32 bits) | Subkey (48 bits) 


Fig. 1.7 F-function 


e Substitution—after mixing in the subkey, the block is divided into eight 6-bit 
pieces before processing by the S-boxes, or substitution boxes. Each of the eight 
S-boxes replaces its six input bits with four output bits according to a nonlinear 
transformation, provided in the form of a lookup table. The S-boxes provide the 
core of the security of DES—without them, the cipher would be linear and 
trivially breakable. 

e Permutation—finally, the 32 outputs from the S-boxes are rearranged according 
to a fixed permutation, the P-box. This is designed so that, after permutation, 
each S-box’s output bits are spread across 4 different S-boxes in the next round. 


The alternation of substitution from the S-boxes and permutation of bits from the 
P-box and E-expansion provide the so-called confusion and diffusion, respectively, 
a concept identified by Claude Shannon in the 1940s as a necessary condition for 
a secure yet practical cipher. Diffusion means that if we change a character of the 
plaintext, then several characters of the ciphertext should change, and similarly, if 
we change a character of the ciphertext, then several characters of the plaintext 
should change. Confusion means that the key does not relate in a simple way to the 
ciphertext. In particular, each character of the ciphertext should depend on several 
parts of the key. 
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| Key (64 bits) | 


Subkey 1 (48 bits) 


Subkey 2 (48 bits) 


Subkey 15 (48 bits) 


Subkey 16 (48 bits) 


Fig. 1.8 Key schedule of DES 


The key schedule of DES is illustrated in Fig. 1.8. It generates 16 subkeys. 

Initially, 56 bits of the key are selected from the initial 64 bits by Permuted 
Choice 1 (PC-1) and the remaining eight bits are either discarded or used as parity 
check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter 
treated separately. In successive rounds, both halves are rotated left by one or two 
bits (specified for each round), and then 48 subkey bits are selected by Permuted 
Choice 2 (PC-2), 24 bits from the left half and 24 from the right. The rotations 
(denoted by “<<<” in the diagram) mean that a different set of bits is used in each 
subkey; each bit is used in approximately 14 out of the 16 subkeys. 

The key schedule for decryption is similar. The subkeys are in reverse order 
compared to encryption. Apart from that change, the process is the same as for 
encryption. 

Although more information has been published on the cryptanalysis of DES 
than any other block cipher, the most practical attack to date is still a brute-force 
approach. There are three attacks known that can break the full 16 rounds of DES 
with less complexity than a brute-force search: differential cryptanalysis (DC) [2], 
linear cryptanalysis (LC) [15], and Davies’ attack [9]. However, the attacks are 
theoretical and are unfeasible to mount in practice. 


1.2.3 Advanced Encryption Standard 


The DES cryptosystem (with its variations) was widely used for more than 20 years. 
The main problem of the DES algorithm was its relatively short secret key, with 256 
possible keys. Although this is a fairly large number, with sufficient computational 
resources brute-force attacks on DES are feasible. So-called DES challenges, where 
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Fig. 1.9 Encryption and decryption of AES 


a large number of computers connected to the Internet exhaustively searched the 
key space, demonstrated this weakness dramatically. The first DES challenge in 
1997 was completed in 4.5 months, the second in 1998 in 39 days, and the third and 
final DES challenge in 1999 was completed in less than a day (22.5 h). 

In 1997 the US National Institute of Standards and Technology (NIST) started 
a public competition to select an algorithm to replace DES. The algorithm was 
required to support key sizes of 128, 192, and 256 and to be free of any patents. 
The selection process consisted of several rounds where candidate algorithms were 
evaluated. At the end of the first round in August 1998, 15 algorithms were accepted 
as candidates. In the next round in August 1999, the candidates were reduced 
to five finalist algorithms (MARS, Blowfish, RC6, Rijndael, Serpent). Finally, in 
April 2000 the Rijndael algorithm was selected as the winner. On 2 October 2000, 
NIST officially announced that Rijndael has been chosen as Advanced Encryption 
Standard (AES) [8]. 

The AES algorithm operates on 128-bit data blocks supporting three different 
key sizes of 128, 192, and 256 bits. These three flavors of the AES algorithm are 
also referred to as AES-128, AES-192, and AES-256, for 128-, 192-, and 256-bit 
keys, respectively. An AES encryption process consists of a number of encryption 
rounds (N,) that depends on the size of the key. The standard calls for 10 rounds for 
AES-128, 12 rounds for an AES-192, and 14 rounds for an AES-256. 

During encryption, each round is composed of a set of four basic operations. The 
decryption process applies the inverse of these operations in reverse order. Figure 1.9 
shows the basic structure of the AES encryption and decryption. 
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Fig. 1.10 State of AES 
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Fig. 1.12 InvMixColumns of AES decryption 
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AES operates on a 4 x 4 column-major order matrix of bytes, termed the state, as 
shown in Fig. 1.10, where the element S, c is an 8-bit value that corresponds to the 
row r and column c of the state. Most AES calculations are done in a special finite 


field. 
AES can be described as follows: 


e KeyExpansion—round keys are derived from the key using AES key schedule. 
AES requires a separate 128-bit round key block for each round plus one more. 


e InitialRound 


AddRoundKey—each byte of the state is combined with a block of the round 


key using bitwise XOR. 
e Rounds 


SubBytes—a nonlinear substitution step where each byte is replaced with 


another according to a lookup table. 


ShiftRows—a transposition step where the last three rows of the state are 


shifted cyclically a certain number of steps. 


MixColumns—a mixing operation which operates on the columns of the state, 


combining the four bytes in each column. MixColumns for encryption is defined 


as in Fig. 1.11, while InvMixColumns for decryption is defined as in Fig. 1.12. 
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Until May 2009, the only successful published attacks against the full AES were 
side-channel attacks on some specific implementations. NSA reviewed all the AES 
finalists, including Rijndael, and stated that all of them were secure enough for US 
government non-classified data. In June 2003, the US government announced that 
AES could be used to protect classified information. 

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192, 
and 256) are sufficient to protect classified information up to the SECRET level. 
TOP SECRET information will require use of either the 192 or 256 key lengths. The 
implementation of AES in products intended to protect national security systems 
and/or information must be reviewed and certified by the NSA prior to their 
acquisition and use. 


1.3 Public-Key Encryption 


1.3.1 Public-Key Encryption Model 


During the early history of encryption, two parties would rely upon a key that they 
would exchange between themselves by means of a secure method. For example, a 
face-to-face meeting or an exchange, via a trusted courier, could be used. This key, 
which both parties kept absolutely secret, could then be used to exchange encrypted 
messages. A number of significant practical difficulties arise with this approach to 
distributing keys. 

Public-key encryption addresses these drawbacks so that users can communicate 
securely over a public channel without having to agree upon a shared key before- 
hand. 

The public-key encryption model, as shown in Fig. 1.13, was introduced in 1976 
by Whitfield Diffie and Martin Hellman [10] who, influenced by Ralph Merkle’s 
work on public-key distribution, disclosed a method of public-key agreement. 

Public-key encryption, also called asymmetric key encryption, is a class of 
algorithms which require two separate keys, one of which is secret (or private) 
and one of which is public. Although different, the two parts of this key pair are 
mathematically linked. The public key is used to encrypt plaintext; whereas the 
private key is used to decrypt ciphertext. The term “asymmetric” stems from the use 
of different keys to perform these opposite functions, each the inverse of the other, 
as contrasted with conventional (“symmetric key”) encryption which relies on the 
same key to perform both. 
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Fig. 1.13 Public-key encryption model 


In general, a public-key cryptosystem, associated with a key space (K), a 
plaintext space M, and a ciphertext space C, consists of three algorithms as 
follows: 


e Key generation algorithm (KG)—given a security parameter k, a public and 
private key pair (pk, sk) is generated, where sk € K. The public key pk is 
published to the public, while the private key sk is known to its owner only. 

¢ Encryption algorithm (E)—given a plaintext m € M and a public key pk, a 
ciphertext c is produced, denoted as c = E(m, pk), where c € C. 

¢ Decryption algorithm (D)—given a ciphertext c = E(m, pk) and the private key 
sk, the plaintext m is recovered, denoted as m = D(c, sk). 


The encryption algorithm Æ, a map from the plaintext space M to the ciphertext 
space C, must be a trapdoor one-way function. For virtually all ciphertexts c = 
E(m, pk), it must be computationally infeasible to recover the plaintext m from 
a given pk and c. However, since the legitimate recipient of the message must be 
able to recover m from c, more is required of the one-way function. Specially, each 
E must have an inverse D, and this inverse must be easily obtainable given some 
additional secret information sk. The extra information sk is called a trapdoor of E 
and the function F itself is called trapdoor one-way function. It is also required that, 
with a knowledge of sk,m = D(c, sk) be easy to compute for all c in the ciphertext 
space. 

Trapdoor functions are based on mathematical problems which currently admit 
no efficient solution that are inherent in certain integer factorization, discrete 
logarithm, and elliptic curve relationships. It is computationally easy for a user 
to generate their own public- and private key pair and to use them for encryption 
and decryption. The strength lies in the fact that it is “impossible” (computationally 
unfeasible) for a properly generated private key to be determined from its corre- 
sponding public key. Thus the public key may be published without compromising 
security, whereas the private key must not be revealed to anyone not authorized to 
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read messages. Public-key algorithms, unlike secret key algorithms, do not require 
a secure initial exchange of one (or more) secret keys between the parties. 


1.3.2 RSA 


Diffie and Hellman introduced the great idea of public-key cryptosystem in 1976, 
but they did not provide a practical public-key cryptosystem. In 1977, the first 
practicable public-key cryptosystem, RSA [18], was proposed by Ron Rivest, Adi 
Shamir, and Leonard Adleman and named by their names. In RSA, the encryption 
key is public and differs from the decryption key which is kept secret, and the 
security is based on the practical difficulty of factoring the product of two large 
prime numbers, the factoring problem. Clifford Cocks, an English mathematician, 
had developed an equivalent system in 1973, but it was not declassified until 1997. 

The RSA algorithm involves three algorithms: key generation, encryption, and 
decryption algorithms as follows. 


Key Generation: RSA involves a public key and a private key. The public key can 
be known by everyone and is used for encrypting messages. Messages encrypted 
with the public key can only be decrypted in a reasonable amount of time using the 
private key. The keys for the RSA algorithm are generated in the following way: 


1. Choose two distinct prime numbers p and q. For security purposes, the integers 
p and q should be chosen at random and should be of similar bit-length. Prime 
integers can be efficiently found using a primality test. 

2. Compute 


n = pq (1.1) 


n is used as the modulus for both the public and private keys. Its length, usually 
expressed in bits, is the key length. 
3. Compute 


p(n) = $(P)O@) = (p - D4- 1) (1.2) 


where ¢ is Euler’s totient function (i.e., the number of positive integers less than 
n and relatively prime to n). 
4. Choose an integer e such that 1 < e < ġ(n) and 


gcd(e,p(n)) = 1 


In other words, e and ¢(7) are coprime. e is released as the public-key exponent. 
e having a short bit-length and small Hamming weight results in more efficient 
encryption, most commonly 2!© + 1 = 65,537. However, much smaller values 
of e (such as 3) have been shown to be less secure in some settings [4]. 
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5. Determine d as 
d =e '(mod ¢(n)) (1.3) 


that is, d is the multiplicative inverse of e(mod $(n)). 


This is more clearly stated as solve for d given e-d = 1(mod¢(n)). This is often 
computed using the extended Euclidean algorithm. The public key consists of the 
modulus n and the public (or encryption) exponent e. The private key consists of the 
modulus n and the private (or decryption) exponent d, which must be kept secret. 
p, q, and ġ (n) must also be kept secret because they can be used to calculate d. 


Encryption: Alice transmits her public key (n, e) to Bob and keeps the private key 
secret. Bob then wishes to send message M to Alice. 

He first turns M into an integer m, such that 0 < m < n by using an agreed-upon 
reversible protocol known as a padding scheme. He then computes the ciphertext c 
corresponding to 


c = m° (mod n) (1.4) 


This can be done quickly using the method of exponentiation by squaring. Bob 
then transmits c to Alice. 


Decryption: Alice can recover m from c by using her private key exponent d by 
computing 


m = c (mod n) (1.5) 


Given m, she can recover the original message M by reversing the padding 
scheme. 


RSA Example: The parameters used here are artificially small, but one can also 
use OpenSSL to generate and examine a real key pair. 


1. Choose two distinct prime numbers, such as 
p= 6l,q = 53 
2. Compute n = pq giving 
n = 61 x 53 = 3233 
3. Compute the totient of the product as ġ (n) = (p — 1)(q — 1), giving 


(3233) = (61 — 1) x (53 — 1) = 3120 
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4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime 
number for e leaves us only to check that e is not a divisor of 3120. Let 


e=17 
5. Compute d, the modular multiplicative inverse of e(mod@(n)) yielding 
d = 2753 


The public key is (n = 3233,e = 17). For a padded plaintext message m, the 
encryption function is 


c = m” (mod 3233). 


The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the 
decryption function is 


m = c” (mod 3233). 
For instance, in order to encrypt 
m= 65 
we calculate 
c = 65" = 2790(mod 3233). 
To decrypt c = 2790, we calculate 
m = 2790” (mod 3233) = 65. 


RSA Security: There are a number of attacks against plain RSA as described 
below: 


1. When encrypting with low encryption exponents (e.g., e = 3) and small values 
of the m (i.e, m < n!/®) the result of m° is strictly less than the modulus n. 
In this case, ciphertexts can be easily decrypted by taking the e-th root of the 
ciphertext over the integers. 

2. Ifthe same clear text message is sent to e or more recipients in an encrypted way, 
and the receivers share the same exponent e, but different p,q, and therefore 
n, then it is easy to decrypt the original clear text message via the Chinese 
remainder theorem. Johan Hastad [11] noticed that this attack is possible even 
if the cleartexts are not equal, but the attacker knows a linear relation between 
them. This attack was later improved by Don Coppersmith [6]. 
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3. Because RSA encryption is a deterministic encryption algorithm (i.e., has no 
random component), an attacker can successfully launch a chosen-plaintext 
attack against the cryptosystem, by encrypting likely plaintexts under the public 
key and test if they are equal to the ciphertext. A cryptosystem is called 
semantically secure if an attacker cannot distinguish two encryptions from each 
other even if the attacker knows (or has chosen) the corresponding plaintexts. 
As described above, RSA without padding is not semantically secure. 

4. RSA has the property that the product of two ciphertexts is equal to the 
encryption of the product of the respective plaintexts. That is, mjm5 = 
(mım2) (mod n). Because of this multiplicative property, a chosen-ciphertext 
attack is possible, e.g., an attacker, who wants to know the decryption of a 
ciphertext c = m*(mod n) may ask the holder of the private key to decrypt 
an unsuspicious-looking ciphertext c’ = cr°(mod n) for some value r chosen 
by the attacker. Because of the multiplicative property c’ is the encryption of 
mr(mod n). Hence, if the attacker is successful with the attack, he or she will 
learn mr (mod n) from which he or she can derive the message m by multiplying 
mr with the modular inverse of r modulo n. 


To avoid these problems, practical RSA implementations typically embed some 
form of structured, randomized padding into the value m before encrypting it. This 
padding ensures that m does not fall into the range of insecure plaintexts and that 
a given message, once padded, will encrypt to one of a large number of different 
possible ciphertexts. 

The security of RSA is based on two mathematical problems: the problem of 
factoring large numbers and the RSA problem. It is easy to multiply two large 
prime numbers, but no algorithm is known that is able to factorize a large number 
efficiently. The RSA problem is defined as the task of taking eth roots modulo a 
composite n: recovering a value m such that c = m°(mod n), where (n,e) is an 
RSA public key and c is an RSA ciphertext. Currently the most promising approach 
to solving the RSA problem is to factor the modulus n. With the ability to recover 
prime factors, an attacker can compute the secret exponent d from a public key 
(n,e), then decrypt c using the standard procedure. To accomplish this, an attacker 
factors n into p and q and computes (p — 1)(q — 1) which allows the determination 
of d from e. 

However, it is not proved that RSA is as secure as factoring. It can be shown that 
if an attacker is able to generate a private key from a public key, he or she is also 
able to factorize large numbers. But until today nobody was able to prove that an 
attacker who is able to decrypt messages is also able to factorize large numbers. So 
it is unknown if the complexity of the RSA problem is the same as the complexity 
of factoring. 
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1.3.3 Rabin Public-Key Encryption 


In 1979, two years after the publication of RSA, Michael O. Rabin [17] proposed the 
Rabin public-key algorithm, which has the advantage of being provably as secure as 
factoring. 

As with all asymmetric cryptosystems, the Rabin system uses both a public and 
a private key. The public key is necessary for later encryption and can be published, 
while the private key must be possessed only by the recipient of the message. 


Key Generation: The precise key generation process is as follows: 


* Choose two large distinct primes p and q. One may choose p = q = 3(mod 4) 
to simplify the computation of square roots modulo p and q. But the scheme 
works with any primes. 

e Letn = p-q.Thenn is the public key. The primes p and q are the private key. 
To encrypt a message only the public key n is needed. To decrypt a ciphertext the 
factors p and q of n are necessary. 


As a (non-real-world) example, if p = 7 and q = 11, then n = 77. The public 
key, 77, would be released, and the message encoded using this key. And, in order to 
decode the message, the private keys, 7 and 11, would have to be known (of course, 
this would be a poor choice of keys, as the factorization of 77 is trivial; in reality 
much larger numbers would be used). 


Encryption: For the encryption, only the public key n is used, thus producing a 
ciphertext out of the plaintext. The process is as follows: 

Let P = {0,...,—1} be the plaintext space (consisting of numbers) and m € P 
be the plaintext. Now the ciphertext c is determined by 


c = m’ (mod n) (1.6) 


That is, c is the quadratic remainder of the square of the plaintext, modulo the 
public key n. 

In the simple example, P = {0,..., 76} is the plaintext space. We will take m = 
20 as the plaintext. The ciphertext is thus c = m?(mod n) = 400(mod 77) = 15. 
For exactly four different values of m, the ciphertext 15 is produced, i.e., for m € 
{13, 20, 57, 64}. This is true for most ciphertexts produced by the Rabin algorithm, 
i.e., it is a four-to-one function. 


Decryption: To decode the ciphertext, the private keys are necessary. The process 
is as follows: 

If c and n are known, the plaintext is then m € {0,...,2 — 1} with m? = 
c(mod n). For a composite n (that is, like the Rabin algorithm’s n = p - q) there is 
no efficient method known for the finding of m. If, however n is prime (as are p and 
q in the Rabin algorithm), the Chinese remainder theorem can be applied to solve 
for m. 
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Thus the square roots 
mp = Jc(mod p) (1.7) 
Mg = J/c(mod q) (1.8) 


must be calculated. 
When p = q = 3(mod 4), we can compute square roots by 


Mp = c§?t) (mod p) (1.9) 


c10+D (mod q) (1.10) 


II 


Mq 


In the example we get m, = 1 and m; = 9. 

By applying the extended Euclidean algorithm, we wish to find y, and y, such 
that y, + p + y4 :4 = 1. In the example, we have y, = —3 and y, = 2. 

Now, by invocation of the Chinese remainder theorem, the four square roots 
+r,—r, +s, and —s of c+nZ € Z/nZ are calculated (Z/nZ here stands for the ring 


of congruence classes modulo n). The four square roots are in the set {0,...,n— 1}: 
r = (Yp: P:Mq + Yq:q4:Mp) mod n (1.11) 

—r=n-r (1.12) 

Ss = (Vp: P:Mq — Yq':4:Mp) mod n (1.13) 

—s=n-s (1.14) 


One of these square roots mod n is the original plaintext m. In the example, 
m € {64, 20, 13, 57}. 


Security: Rabin pointed out in his paper that if someone is able to compute both, 
r and s, then he is also able to find the factorization of n because either gcd(|r — 
s|, n) = p or ged(|r —s|,n) = q, where gcd means greatest common divisor. Since 
the greatest common divisor can be calculated efficiently, you are able to find the 
factorization of n efficiently if you know r and s. In the our example (picking 57 
and 13 as r and s): 


gced(57 — 13,77) = ged(44,77) = ll =q 


Rabin scheme has, however, a downside: Every decryption operation produces 
four possible outputs and thus is not suitable for practical applications. Williams 
[22] suggested a change that avoids these ambiguities. This is called the Rabin- 
Williams algorithm. 
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1.3.4 Public-Key Cryptography Standards 


The public-key cryptography standards (PKCS) are a set of standard protocols 
for making possible secure information exchange on the Internet using a public- 
key infrastructure (PKI). The standards include RSA encryption, password-based 
encryption, extended certificate syntax, and cryptographic message syntax for 
S/MIME, RSA’s proposed standard for secure e-mail. The standards were devel- 
oped by RSA laboratories in cooperation with a consortium that included Apple, 
Microsoft, DEC, Lotus, Sun, and MIT. 

Public-key cryptography standards (PKCS) #1 provides the basic definitions 
of and recommendations for implementing the RSA algorithm for public-key 
cryptography. It defines the mathematical properties of public and private keys, 
primitive operations for encryption and signatures, secure cryptographic schemes, 
and related ASN.1 syntax representations. The current version, 2.1, was published 
in June 2002 and was also republished as RFC 3447 in February 2003. 

Standards such as PKCS#1 have been carefully designed to securely pad 
messages prior to RSA encryption. Because these schemes pad the plaintext m 
with some number of additional bits, the size of the un-padded message must 
be somewhat smaller. RSA padding schemes must be carefully designed so as to 
prevent sophisticated attacks which may be facilitated by a predictable message 
structure. Early versions of the PKCS#1 standard (up to version 1.5) used a 
construction that appears to make RSA semantically secure. However, at Eurocrypt 
2000, Coron et al. [7] showed that for some types of messages, this padding 
does not provide a high enough level of security. Furthermore, at Crypto 1998, 
Bleichenbacher [3] showed that this version is vulnerable to a practical adaptive 
chosen-ciphertext attack. Later versions of the standard include optimal asymmetric 
encryption padding (OAEP) [1], which prevents these attacks. As such, OAEP 
should be used in any new application, and PKCS#1 v1.5 padding should be 
replaced wherever possible. 

Optimal asymmetric encryption padding (OAEP) is a padding scheme often used 
together with RSA encryption. OAEP was introduced by Bellare and Rogaway [1] 
and subsequently standardized in PKCS #1v2 and RFC 2437. 

The OAEP algorithm is a form of Feistel network which uses a pair of random 
oracles G and H to process the plaintext prior to asymmetric encryption. When 
combined with any secure trapdoor one-way permutation, this processing is proved 
in the random oracle model to result in a combined scheme which is semantically 
secure under chosen-plaintext attack (IND-CPA). When implemented with certain 
trapdoor permutations (e.g., RSA), OAEP is also proved secure against chosen- 
ciphertext attack. OAEP can be used to build an all-or-nothing transform. 

The OAEP algorithm can be depicted in a diagram as shown in Fig. 1.14. In the 
diagram, 


e nis the number of bits in the RSA modulus. 
¢ ko and k; are integers fixed by the protocol. 
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Fig. 1.14 Optimal asymmetric encryption padding (OAEP) 


e mis the plaintext message, an (n — ko — kı )-bit string 
e G and H are typically some cryptographic hash functions fixed by the protocol. 


To encode, 


Step 1. Pad messages with kı zeros to be n — kp bits in length. 
Step 2. Generate a random number r with ko-bit string 

Step 3. Expand the ko bits of r to n — ko bits with G. 

Step 4. Let 


X = m00..0 @ G(r) (1.15) 


Step 5. Reduce the n — ko bits of X to ko bits with H. 
Step 6. Let 


Y =r H(X) (1.16) 


Step 7. The output is X||Y where X is shown in the diagram as the leftmost block 
and Y as the rightmost block. 
To decode, 


Step 1’. Recover the random string as 
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r=Y@A(X) (1.17) 
Step 2’. Recover the message as 
m00..0 = X @ G(r) (1.18) 


The “all-or-nothing” security is from the fact that to recover m, you must recover 
the entire X and the entire Y; X is required to recover r from Y, and r is required 
to recover m from X. Since any changed bit of a cryptographic hash completely 
changes the result, the entire X and the entire Y must both be completely recovered. 

OAEP satisfies the following two goals: 


e Add an element of randomness which can be used to convert a deterministic 
encryption scheme (e.g., traditional RSA) into a probabilistic scheme. 

e Prevent partial decryption of ciphertexts (or other information leakage) by 
ensuring that an adversary cannot recover any portion of the plaintext without 
being able to invert the trapdoor one-way permutation. 
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Chapter 2 
Homomorphic Encryption 


Abstract Homomorphic encryption is a form of encryption which allows specific 
types of computations to be carried out on ciphertexts and generate an encrypted 
result which, when decrypted, matches the result of operations performed on the 
plaintexts. This is a desirable feature in modern communication system architec- 
tures. RSA is the first public-key encryption scheme with a homomorphic property. 
However, for security, RSA has to pad a message with random bits before encryption 
to achieve semantic security. The padding results in RSA losing the homomorphic 
property. To avoid padding messages, many public-key encryption schemes with 
various homomorphic properties have been proposed in last three decades. In this 
chapter, we introduce basic homomorphic encryption techniques. It begins with 
a formal definition of homomorphic encryption, followed by some well-known 
homomorphic encryption schemes. 


2.1 Homomorphic Encryption Definition 


In abstract algebra, a homomorphism is a structure-preserving map between two 
algebraic structures, such as groups. 

A group is a set, G, together with an operation o (called the group law of G) 
that combines any two elements a and b to form another element, denoted a o b. 
To qualify as a group, the set and operation, (G, o), must satisfy four requirements 
known as the group axioms: 


¢ Closure: For all a, b in G, the result of the operation, a o b, is also in G. 

e Associativity: For all a, b, and c in G, (ao b)oc =ao (boc). 

e Identity element: There exists an element e in G, such that for every element a 
in G, the equality e o a = a o e = a holds. Such an element is unique, and thus 
one speaks of the identity element. 

¢ Inverse element: For each a in G, there exists an element b in G such that aob = 
b oa = e, where e is the identity element. 


The identity element of a group G is often written as 1. 

The result of an operation may depend on the order of the operands. In other 
words, the result of combining element a with element b need not yield the same 
result as combining element b with element a; the equation a o b = b o a may not 
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Fig. 2.1 Group Homomorphism 


always be true. This equation always holds in the group of integers under addition, 
because a + b = b + a for any two integers (commutativity of addition). Groups 
for which the commutativity equation a o b = b oa always holds are called abelian 
groups. 

Given two groups (G, ©) and (H,0), a group homomorphism from (G, ©) to 
(H, 0°) is a function f : G > H such that for all g and g’ in G it holds that 


f(g og’) = feo f(g’) (2.1) 


Group homomorphism can be illustrated as in Fig. 2.1. 

Let (P, C, K, E, D) be an encryption scheme, where P, C are the plaintext and 
ciphertext spaces, K is the key space, and Æ, D are the encryption and decryption 
algorithms. Assume that the plaintexts forms a group (P, ©) and the ciphertexts 
forms a group (C, o), then the encryption algorithm F is a map from the group P to 
the group C, i.e., Ep : P —> C, where k € K is either a secret key (in a secret key 
cryptosystem) or a public key (in a public-key cryptosystem). 

For all a and b in P and k in K, if 


E;(a) o E;(b) = Ez (a © b) (2.2) 


the encryption scheme is homomorphic. 

In an unpadded RSA [18], assume that the public key pk = (n, e), the plaintexts 
form a group (P, -), and the ciphertexts form a group (C,-), where - is the modular 
multiplication. For any two plaintexts mı, mz in P, it holds that 

E(m,, pk): E(m, pk) = m5 -m5(mod n) 
= (mı -m2)*(mod n) 
= E(m,- m, pk) 


Therefore, the unpadded RSA has the homomorphic property. Unfortunately, the 
unpadded RSA is insecure. 
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2.2 Goldwasser—Micali Encryption Scheme 


The Goldwasser—Micali (GM) encryption scheme [7] is a public-key encryption 
algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the 
distinction of being the first probabilistic public-key encryption scheme which is 
provably secure under standard cryptographic assumptions. However, it is not an 
efficient cryptosystem, as ciphertexts may be several hundred times larger than the 
initial plaintext. To prove the security properties of the cryptosystem, Goldwasser 
and Micali proposed the widely used definition of semantic security. 

GM consists of three algorithms: a probabilistic key generation algorithm which 
produces a public and a private key, a probabilistic encryption algorithm, and a 
deterministic decryption algorithm. 

The scheme relies on deciding whether a given value x is a square mod N, 
given the factorization (p,q) of N. This can be accomplished using the following 
procedure: 


Compute 
Xp = x(mod p) (2.3) 
Xq = x(mod q) (2.4) 
If 
xP? = 1(mod p) (2.5) 
xf = 1(mod q) (2.6) 


then x is a quadratic residue mod N. 


Key Generation: The modulus used in GM encryption is generated in the same 
manner as in the RSA cryptosystem. 

Alice generates two distinct large prime numbers p and q, such that p = q = 
3(mod 4), randomly and independently of each other. Alice computes N = pq. 
She then finds some non-residue a such that 


a? VP = —l(mod p), a879 = —I(mod q) 


The public key consists of (a, N ). The secret key is the factorization (p, q). 


Encryption: Suppose Bob wishes to send a message m to Alice. Bob first encodes 
m as a string of bits (m1, ++- , Mn). 

For every bit m;, Bob generates a random value b; from the group of units 
modulo N, or gcd(b;, N) = 1. He outputs the value 


ci = b? - a" (mod N) (2.7) 


Bob sends the ciphertext (c1, C2,--- , Cn) to Alice. 
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Decryption: Alice receives (c1,C2,-+- ,C,). She can recover m using the following 
procedure: 

For each 7, using the prime factorization (p,q), Alice determines whether the 
value c; is a quadratic residue; if so, m; = 0, otherwise m; = 1. Alice outputs the 
message m = (m1,-++ , Mn). 


GM Example: We choose small parameters in this example. In key generation, 
we let 


p=7,¢d=11 
where p = q = 3(mod 4). So 
N = pq = 11 
Take 
a=6 
where 


67-)/? = —1 (mod 7), 6"!-)/? = —1 (mod 11) 


The public key is (6, 77) and the private key is (7,11). 
To encrypt 3-bit message m,m2m3 = 101. Choose 


b) = 2,b. = 3,b3 =5 
and compute 
cı = 27-6! = 24(mod 77) 
c2 = 3? - 6° = 9(mod 77) 
c3 = 5- 6! = 73(mod 77) 


The ciphertext is (24,9,73). 
To decrypt the ciphertext, compute 


247-D/2 — _1(mod 7) 
90-D/2 = 1(mod 7), 9"'-)/? = 1(mod 11) 
730 -D/2 = _1(mod 7) 
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This shows that 24 and 73 are non-quadratic residue and 9 is quadratic residue, 
and thus outputs the plaintext 101. 


Homomorphic Property: The GM encryption scheme has a homomorphic prop- 
erty, in the sense that if co, cı are the encryptions of bits mo, mı, then copc;(mod N) 
will be an encryption of mo ® mı, where ® denotes addition modulo 2 (i.e., 
exclusive-OR). 

Assume that 


co = bj - a™ (mod N),c, = b? -a™ (mod N) 


we have 
co: cı = (bg -a™)- (b? - a™!')(mod N) 
= (bob)? -a™t™ (mod N) 
When mọ + m; is either 0 or 1, we have mp + mı = mo ® mı. When mọ = 
mı = 1, mọ + mı = 2 and coc\(mod N) is a quadratic residue and thus it is an 


encryption of 0. In this case, we have mp ® mı = 1 @ 1 = 0 as well. 


Security: The GM encryption scheme is a probabilistic encryption [8]. Proba- 
bilistic encryption refers to the use of randomness in an encryption algorithm, 
so that when encrypting the same message several times it will, in general, 
yield different ciphertexts. The term “probabilistic encryption” is typically used 
in reference to public-key encryption algorithms; however, various secret key 
encryption algorithms achieve a similar property (e.g., block ciphers when used in a 
chaining mode such as CBC). To be semantically secure, that is, to hide even partial 
information about the plaintext, an encryption algorithm must be probabilistic. 

Probabilistic encryption is particularly important when using public-key encryp- 
tion. Suppose that the adversary observes a ciphertext and suspects that the plaintext 
is either “YES” or “NO.” When a deterministic encryption algorithm is used, the 
adversary can simply try encrypting each of his or her guesses under the recipient’s 
public key and compare each result to the target ciphertext. To combat this 
attack, public-key encryption schemes must incorporate an element of randomness, 
ensuring that each plaintext maps into one of a large number of possible ciphertexts. 

An intuitive approach to converting a deterministic encryption scheme into 
a probabilistic one is to simply pad the plaintext with a random string before 
encrypting with the deterministic algorithm, such as padding RSA. Conversely, 
decryption involves applying a deterministic algorithm and ignoring the random 
padding. However, early schemes which applied this naive approach were broken 
due to limitations in some deterministic encryption schemes. Techniques such as 
OAEP integrate random padding in a manner that is secure using any trapdoor 
permutation. 

The GM encryption scheme is semantically secure [8]. Semantic security is 
commonly defined by the following game: 
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e Initialize: The challenger runs the key generation algorithm, gives the public key 
pk to a probabilistic polynomial time-bounded (PPT) adversary, but keeps the 
private key sk to itself. 

e Phase 1: The adversary adaptively asks a number of different encryption queries 
Ci = E(m;, pk) for m;, where i = 1,2,--- ,n. 

e Challenge: Once the adversary decides that Phase | is over, it outputs a pair 
of equal length plaintexts (Mo, Mı) on which it wishes to be challenged. 
The challenger picks a random bit b € {0,1} and sends C = E(M,, pk) as 
the challenge to the adversary. 

e Phase 2: The adversary issues more encryption queries adaptively as in Phase 1. 

e Guess: Finally, the adversary outputs a guess b’ € {0, 1} and wins the game if 


b' =b. 


The public-key encryption cryptosystem is semantically secure under chosen- 
plaintext attack if the adversary cannot determine which of the two messages was 
chosen by the challenger, with probability significantly greater than 1/2 (the success 
rate of random guessing). 

The GM encryption scheme is semantically secure based on the assumed 
intractability of the quadratic residuosity problem modulo a composite N = pq 
where p,q are large primes. This assumption states that given (a, N) it is difficult 
to determine whether a is a quadratic residue modulo N (i.e., a = b? (mod N) for 
some b). The quadratic residue problem is easily solved given the factorization of N. 
The GM encryption scheme leverages this asymmetry by encrypting individual 
plaintext bits as either random quadratic residues or non-residues modulo JN. 
Recipients use the factorization of N as a secret key and decrypt the message by 
testing the quadratic residuosity of the received ciphertext values. 

Because the GM encryption scheme produces a value of size approximately 
|N | to encrypt every single bit of a plaintext, GM encryption results in substantial 
ciphertext expansion. To prevent factorization attacks, it is recommended that | NV | be 
several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, 
and more efficient provably secure schemes such as ElGamal encryption scheme 
have been developed since. 


2.3 ElGamal Encryption Scheme 


The ElGamal encryption scheme [4] is a public-key encryption algorithm based on 
the Diffie-Hellman key exchange. It was invented by Taher Elgamal in 1985. The 
ElGamal encryption scheme is used in the free GNU Privacy Guard software, recent 
versions of PGP, and other cryptosystems. The ElGamal encryption scheme can be 
defined over any cyclic group G. Its security depends upon the difficulty of a certain 
problem in G related to computing discrete logarithms. 

The ElGamal encryption scheme consists of three components: the key genera- 
tion, the encryption algorithm, and the decryption algorithm. 
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Key Generation: The key generator works as follows: 

Alice generates an efficient description of a cyclic group G, of order q, with 
generator g. 

Alice chooses a random x € {1,...,g — 1}. 

Alice computes 


ysg (2.8) 
Alice publishes y along with the description of G, q, g, as her public key. Alice 
retains x, as her private key which must be kept secret. 


Encryption: The encryption algorithm works as follows: 
To encrypt a message m, to Alice under her public key (G, q, g, y), Bob chooses 
arandom r € {1,...,q — 1}, then computes 


c= 8" (2.9) 
Bob computes the shared secret 
s= y" (2.10) 


Bob converts his secret message m, into an element m’ € G. 
Bob computes 


Qa =m -s (2.11) 


Bob sends the ciphertext (c1, c2) = (g", m’ - y”) to Alice. 

Note that one can easily find y”, if one knows m’. Therefore, a new r, is 
generated for every message to improve security. For this reason, r, is also called an 
ephemeral key. 


Decryption: The decryption algorithm works as follows: 
To decrypt a ciphertext (c1, c2), with her private key x, Alice computes the shared 
secret 


t=c (2.12) 
and then computes 
m =o- t (2.13) 
which she then converts back into the plaintext message m, where t7! is the inverse 


of ¢ in the group G (e.g., modular multiplicative inverse if G is a subgroup of a 
multiplicative group of integers modulo 7). 
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The decryption algorithm produces the intended message, since 


c2: t! = (m'+s)+c7* 


II 


m' ; y" . ore 


—xr 


m -g.g 


/ 
=m 


The ElGamal encryption scheme is probabilistic, meaning that a single plaintext 
can be encrypted to many possible ciphertexts, with the consequence that a general 
ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext. 

Encryption under ElGamal requires two exponentiations; however, these expo- 
nentiations are independent of the message and can be computed ahead of time if 
need be. Decryption only requires one exponentiation. 

The division by ¢ can be avoided by using an alternative method for decryption. 
To decrypt a ciphertext (c1, c2), with Alice’s private key x, Alice computes t’ = 


= g4", t' is the inverse of t. This is a consequence of Lagrange’s theorem, 
because 


t- t’ = g7 } gq = (eD =1"=1 


where 1 is the identity element of G. 

Alice then computes m’ = c3 - t’, by which she then converts back into the 
plaintext message m. The decryption algorithm produces the intended message, 
since 


Ct! = m -s-t = myrt = mgt = m'-(g")*-t! = m'-ck-t! = mre? =m! 
ElGamal Example: An example of the ElGamal encryption with small parameters 
is given as follows: 

At first, Alice generates a prime modulo p and a group generator g which is 


between | and p — 1: 


p = 2879 
g = 2585 


Alice selects a random number (x) which will be her private key: 
x = 47 
She then calculates 


y = g* = 258547 = 2826(mod 2879) 
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Alice’s public key is now (p, g, y) and sends them to Bob. The private key x is 
known to Alice only. 
Bob then creates a message 


and then selects a random value 
r=65 
and calculates the ciphertext (c1, c2) where 


cı = g" = 2585 = 319(mod 2879) 
c2 =m-y" = 77-2826" = 472(mod 2879) 


Alice can decrypt the ciphertext: 
co/cf = 472/319’ = 71(mod 2879). 


Homomorphic Property: ElGamal encryption scheme has a homomorphic prop- 
erty. Given two encryptions 


(c11, c12) = (g", my"), (c21, C22) = (8°, my”) 


where r1, r2 are randomly chosen from {1,2,--- ,g — 1} and mı, m2 € G, one can 
compute 


(c11, C12) (C21, C22) = (€11€21, C12€22) 


= (8" 8”, (mı y” )(m2y”)) 


= (g" t”, (mım)y" +) 


The resulted ciphertext is an encryption of mım2. 


ElGamal Security: The security of the ElGamal scheme depends on the properties 
of the underlying group G as well as any padding scheme used on the messages. 

If the computational Diffie-Hellman assumption (CDH) holds in the underlying 
cyclic group G, then the ElGamal encryption function is one way. The CDH is 
the assumption that a certain computational problem within a cyclic group G is 
hard. Consider a cyclic group G of order q, the CDH assumption states that, given 
(g, ¢“, g) for a randomly chosen generator g and random a,b € {0,--- ,q — 1}, it 
is computationally intractable to compute the value g^’. 

If the decisional Diffie-Hellman assumption (DDH) holds in G, then ElGamal 
achieves semantic security. Semantic security is not implied by the CDH alone. The 
DDH is a computational hardness assumption about a certain problem involving 
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discrete logarithms in cyclic groups. Consider a (multiplicative) cyclic group G of 
order q, and with generator g. The DDH assumption states that, given g“ and g’ for 
uniformly and independently chosen a, b € Z4, the value g” “looks like” a random 
element in G. This intuitive notion is formally stated by saying that the following 
two probability distributions are computationally indistinguishable: 


e (g%, gP, g’), where a and b are randomly and independently chosen from Zq; 
e (g%, g}, g°), where a, b,c are randomly and independently chosen from Zq. 


ElGamal encryption is unconditionally malleable and therefore is not secure 
under chosen-ciphertext attack. For example, given an encryption (c1, C2) of some 
(possibly unknown) message m, one can easily construct a valid encryption (c1, 2c2) 
of the message 2m. 

To achieve chosen-ciphertext security, the scheme must be further modified, or 
an appropriate padding scheme must be used. Depending on the modification, the 
DDH assumption may or may not be necessary. 

Other schemes related to ElGamal which achieve security against chosen- 
ciphertext attacks have also been proposed. The Cramer—Shoup cryptosystem [3] 
is secure under chosen-ciphertext attack assuming DDH holds for G. Its proof does 
not use the random oracle model. Another proposed scheme is DHAES [1], whose 
proof requires an assumption that is weaker than the DDH assumption. 

The ElGamal encryption scheme is usually used in a hybrid cryptosystem, i.e., 
the message itself is encrypted using a symmetric cryptosystem and ElGamal is 
then used to encrypt the key used for the symmetric cryptosystem. This is because 
asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for 
the same level of security, so it is faster to encrypt the symmetric key (which most 
of the time is quite small if compared to the size of the message) with ElGamal and 
the message (which can be arbitrarily large) with a symmetric cryptosystem. 


2.4 Paillier Encryption Scheme 


The Paillier encryption scheme [11], named after and invented by Pascal Paillier 
in 1999, is a probabilistic public-key algorithm. The problem of computing nth 
residue classes is believed to be computationally difficult. The decisional composite 
residuosity assumption is the intractability hypothesis upon which this cryptosystem 
is based. 

The Paillier encryption scheme is composed of key generation, encryption, and 
decryption algorithms as follows: 


Key Generation: Choose two large prime numbers p and q randomly and 
independently of each other, such that 


gcd(pq, (p — 1)(q4-1)) = 1 


This property is assured if both primes are of equal length. 
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Compute 
n= pq,A =Icm(p—1,q-1) 

where /cm stands for the least common multiple. 

Select random integer g where g € Zz". 

Ensure n divides the order of g by checking the existence of the following 
modular multiplicative inverse: 

u = (L(g*(mod n?) ~! (mod n) (2.14) 

where function L is defined as 


u— 1 


L(u) = (2.15) 
Note that the notation a/b does not denote the modular multiplication of a times 
the modular multiplicative inverse of b, but rather the quotient of a divided by b. 
Finally, the public (encryption) key is (n, g) and the private (decryption) key is 
(A, y). 
If using p,q of equivalent length, a simpler variant of the above key generation 
steps would be to set 


g=n+1,ù =ọ(n), u= on)! (mod n) 


where y(n) = (p — 1)(q — 1). 


Encryption: Let m be a message to be encrypted where m € Zp. 
Select random r where r € Z* 
Compute ciphertext as 


c = g"-r"(mod n?) (2.16) 


Decryption: Let c be the ciphertext to decrypt, where c € Z*, 
Compute the plaintext message as: 


m = L(c*(mod n*))- (mod n) (2.17) 


As the original paper points out, decryption is “essentially one exponentiation 
modulo n?.” 

The Paillier encryption scheme exploits the fact that certain discrete logarithms 
can be computed easily. For example, by binomial theorem, 


(+n = 3 (o) =I14+nx+ (3) + higher powers of n 


k=0 
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This indicates that 
(+n) =1+nx (mod n°) 
Therefore, if 
y =(1+n)* mod n? 


then 


Thus 
L((1 +n)*(mod n?)) = x (mod n) 


for any x € Zp. 
Therefore, when g = n + 1, we have 


L(c*(mod n?)) - u = L((gr")* (mod n*))-A7! 

= L(g" (mod n7)) -A7! 

=A-m-47! = m(mod n) 
Paillier Example: An example of the Paillier encryption scheme with small 
parameters is shown as follows. 

For ease of calculations, the example will choose small primes, to create a 
small n. Let 
p=7,q= 11 

then 


n= pq=7-l11l=77 


Next, an integer g must be selected from Z”,, such that the order of g is a multiple 
of n in Z,. If we randomly choose the integer 


g = 5652 


then all necessary properties, including the yet to be specified condition, are met, as 
the order of g is 2310 = 30-77 in Z,2. Thus, the public key for the example will be 


(n, g) = (77, 5652) 


2.4 Paillier Encryption Scheme 


To encrypt a message 


where m € Zn, choose a random 
r= 23 


where r is a nonzero integer andr € Z}. 
Compute 


c = g™r"(mod n?) 
= 5652” . 23” (mod 5929) 
= 4624(mod 5929) 
To decrypt the ciphertext c, compute 
à = Icm(6, 10) = 30 
Define L(u) = (u — 1)/n, compute 
k = L(g*(mod n’)) 
= L(5652% (mod 5929)) 
= L(3928) 
= (3928 — 1)/77 
= 3927/77 
=51 


Compute the inverse of k, 


u = k™! (mod n) 
= 517! = 74(mod 77) 


Compute 


m = L(c*modn’) - u(mod n) 


= L(4624°°(mod 5929)) -74(mod 77) 


= L(4852)-74(mod 77) 
= 42 


39 
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Homomorphic Properties: A notable feature of the Paillier scheme is its homo- 


morphic properties. Given two ciphertexts E(m, pk) = g™'r?” (mod n?) and 
E(m2, pk) = g™r3(mod n°), where rı and rz are randomly chosen from Z*, 
we have 


e Homomorphic Addition of Plaintexts 
The product of two ciphertexts will decrypt to the sum of their corresponding 
plaintexts, i.e., 


D(E(m, pk) « E(m2, pk) (mod n?)) = mı + m(mod n) 
because 
E(m,, pk) - E(mp, pk) = (g"™"'r)(g"?1r3) (mod n’) 


= g” tm (rir2)” (mod n?) 


= E(m, + m, pk) 


The product of a ciphertext with a plaintext raising g will decrypt to the sum 
of the corresponding plaintexts, i.e., 


D(E(m, pk) + g"?(mod n*)) = mı + m2(mod n) 
because 
E(m,, pk): g™ = (g™'r})g" (mod n’) 


= ges (mod n’) 


= E(m, + m, pk) 


e Homomorphic Multiplication of Plaintexts 
An encrypted plaintext raised to the power of another plaintext will decrypt to 
the product of the two plaintexts, i.e., 


D(E(m, pk)? (mod n*)) = mım(mod n) 
because 


E(my, pk)” = (g™rj)"? (mod n°) 
= gma (r"")" (mod n’) 
= E(mım,, pk) 


More generally, an encrypted plaintext raised to a constant k will decrypt to 
the product of the plaintext and the constant, i.e., 


2.5 Boneh—Goh-Nissim Encryption Scheme 41 


D(E(m,, pk)‘ (mod n?)) = km,(mod n) 


However, given the Paillier encryptions of two messages, there is no known way 
to compute an encryption of the product of these messages without knowing the 
private key. 


Paillier Security: The Paillier encryption scheme provides semantic security 
against chosen-plaintext attacks (IND-CPA). The ability to successfully distinguish 
the challenge ciphertext essentially amounts to the ability to decide composite 
residuosity. The semantic security of the Paillier encryption scheme was proved 
under the decisional composite residuosity (DCR) assumption—the DCR problem 
is intractable. 

The DCR problem states as follows: Given a composite N and an integer z, it is 
hard to decide whether z is a N -residue modulo N? or not, i.e., whether there exists 
y such that 


z = y"(mod n’) 


Because of the homomorphic properties, the Paillier encryption scheme, how- 
ever, is malleable and therefore does not protect against adaptive chosen-ciphertext 
attacks (IND-CCA2). Usually in cryptography the notion of malleability is not 
seen as an “advantage,” but under certain applications such as secure electronic 
voting and threshold cryptosystems, this property may indeed be necessary. 

Paillier and Pointcheval [12] however went on to propose an improved cryptosys- 
tem that incorporates the combined hashing of message m with random r. Similar 
in intent to the Cramer—Shoup cryptosystem, the hashing prevents an attacker, given 
only c, from being able to change m in a meaningful way. Through this adaptation 
the improved scheme can be shown to be IND-CCA2 secure in the random oracle 
model. 


2.5 Boneh-—Goh-Nissim Encryption Scheme 


Boneh—Goh-Nissim encryption scheme [2], BGN scheme by brevity, resembles 
the Paillier [11] and the Okamoto—Uchiyama [10] encryption schemes. The BGN 
scheme was the first to allow both additions and multiplications with a constant-size 
ciphertext. The multiplication is possible due to the fact that pairings can be defined 
for elliptic curves. 

Let G1, G2 be additive groups and Gr a multiplicative group, all of prime 
order p. Let P € Gi, Q € Gn be generators of G; and Go, respectively. 

A pairing is a map 


e : Gi X Ga —> Gr 


for which the following holds: 
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1. Bilinearity: Va, b € Z5: 


e(P*,.Q°) = e(P, Q)” 


2. Non-degeneracy: e(P, Q) # 1. 
3. For practical purposes, e has to be computable in an efficient manner. 


In cases when Gi = G2 = G, the pairing is called symmetric. If, furthermore, 
G is cyclic, the map e will be commutative; that is, for any P, Q € G , we have 


e(P, Q) = e(Q, P) 


This is because for a generator g € G , there exist integers p,q such that P = g? 
and Q = g1. Therefore 


e(P, Q) = e(g”, g1) = e(g, g)” = e(g’, g”) = e(Q, P) 


On the basis of pairing, BGN scheme can be described by three algorithms—key 
generation, encryption, and decryption algorithms—as follows: 


Key Generation: Given a security parameter À € Z*, generate a tuple 
(41,92, G, Gi, e), where qı and q2 are two distinct large primes, G is a cyclic group 
of order q1q2, and e is a pairing map e : G x G > G,;. Let N = qiq. Pick up 
two random generators g, u from G and set h = u?. Then h is a random generator 
of the subgroup of G of order qı. The public key is PK = {N, G, Gi, e, g, h}. The 
private key SK = qı. 


Encryption: Assume the message space consists of integers in the set {0,1,--- , 
T} with T < qo. We encrypt bits in which case T = 1. To encrypt a message m 
using the public key PK, pick a random r from {1,2,--- , N} and compute 


C=g"h" eG (2.18) 


Output C as the ciphertext. 


Decryption: To decrypt a ciphertext C using the private key SK = q1, observe that 
CS aie) =e) (2.19) 


To recover the message m, it suffices to compute the discrete logarithm of C% to 
the base g”. Since 0 < m < T, this takes expected time O(./T) using Pollard’s 
lambda method [9]. 


Homomorphic Properties: The BGN scheme is clearly additively homomor- 
phic. Let PK = {N, G,Gi,e,g,h} be a public key. Given two ciphertexts 
Cı = g™h" €G,C) = g’’h” € G of messages mı, mz € {0,1,--- , T} respec- 
tively, anyone can create a uniformly distributed encryption of m; + m2(mod N) 
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by computing the product 
C= Cih" (2.20) 
for a random r in {1,2,--- , N — 1}, because 
GER SG RE sg 
is an encryption of mı + m2. 


More importantly, anyone can multiply two encrypted messages once using the 
bilinear map. Let 


gı = e(g,8) 
and 
hı = e(g,h) 


then gı is of order N and hı is of order qı. There is some (unknown) œ € Z such 
that 


h = gt? 


Suppose that we are given two ciphertexts Cı = g™'h™ € G and C2 = g"? h” € G. 
To build an encryption of the product mımı(mod N), (1) pick a random r € Zy, 
and (2) let 


C= e(Ci, Cr)h} EG (2.21) 
We have 


C = e(Ci, C2)hi 

= e(g™h", g™h")h" 

= e(gm tenn l gee ht 
= e(g, g) tear) natagara) pr 


Li mımı+aq2(mır2+m2rı +aq2r112) pF 
= e(g, 8) TA edh 


ae a eae 


= e(g,8 


where r + mır + Mor, + æqzrır is distributed uniformly in Zy. Thus C is a 
uniformly distributed encryption of mımı(mod N), but in G; rather than G. We 
note that the BGN scheme is still additively homomorphic in G4. 


44 2 Homomorphic Encryption 


BGN Example: We will demonstrate the operation of the BGN scheme with a 
small example. First we choose two distinct prime numbers 


a1=7,¢. = 11 
and compute the product 
N =q =171 


Next we construct an elliptic curve group with order N that has an associated 
bilinear map e. The equation for the elliptic curve is 


y= +x 
and is defined over the field F} for some prime q = 3 mod 4. In this example, we set 
q = 307 

Therefore, the curve is supersingular with #(E(q4)) = q + 1 = 308 rational points, 
which contains a subgroup G with the order N = 77 (=308/4). 

Within the group G, we choose two random generators 

g = [182, 240], u = [28, 262] 
where these two generators have order N , and compute 
h = u? = [28,262]!! = [99, 120] 


where h has order qı = 7. 
We compute the ciphertext of a message 


m=2 
Take r = 5 and compute 
C = gh" = [182,2407 © [99, 120]? = [256, 265] 
To decrypt we first compute 
ê = g” = [182,240] = [146, 60] 
and 


C% = [256, 265]’ = [299, 44] 
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Now we find the discrete logarithm by iterating through all the powers of ê = g” 
as follows: 


ê' = [146, 60] 
& = [299, 44] 
& = [272, 206] 
é* = [191,151] 


& = [79,171] 
ê! = [79, 136] 
&’ = [191,156] 


e° = [272,101] 
& = [299, 263] 
g'° = [146, 247] 


g! =% 
Observe that ê? = C4. Therefore, decryption of the ciphertext equals 2, which 
is the same as the original message. 


BGN Security: The BGN encryption scheme has been proved to be semantically 
secure on basis of the subgroup decision problem in [2]. The subgroup decision 
(SD) problem is stated as follows. 

Given a group G of composite order n = pq, where p,q are distinct (unknown) 
primes, and generators gp € Gp and g € G, distinguish between whether an 
element x is a random element of the subgroup G, or a random element of the 
full group G. 

Gjosteen [6] has undertaken an extensive survey of such problems, which he calls 
subgroup membership problems. For example, the quadratic residuosity problem is 
a subgroup membership problem: if we let N = pq be a product of two distinct 
primes and define the group G to be the group of elements of Z, with Jacobi symbol 
1, the problem is to determine whether a given element in G lies in the subgroup of 
squares in G. 

Boneh, Goh, and Nissim [2] defined their SD problem for pairs of groups (G, G1) 
of composite order N = pq for which there exists a nondegenerate bilinear map, 
or pairing, e : G x G —> G,. The problem is to determine whether a given element 
x € G is in the subgroup of order p. Note that if g generates G, then e(g, x) is a 
challenge element for the same problem in G4; thus if the SD problem is infeasible 
in G, then it is in Gy as well. 

Freeman [5] developed an abstract framework that encompasses the key 
properties of bilinear groups of composite order that are required to construct 
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secure pairing-based cryptosystems and showed how to use prime-order elliptic 
curve groups to construct bilinear groups with the same properties. In particular, 
he defined a generalized version of the subgroup decision problem and give explicit 
constructions of bilinear groups in which the generalized subgroup decision 
assumption follows from the decision Diffie-Hellman assumption, the decision 
linear assumption, and/or related assumptions in prime-order groups. 
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Chapter 3 
Fully Homomorphic Encryption 


Abstract Homomorphic encryption is a very useful tool with a number of attractive 
applications. However, the applications are limited by the fact that only one 
operation is possible (usually addition or multiplication in the plaintext space) to 
be able to manipulate the plaintext by using only the ciphertext. What would really 
be useful is to be able to utilize both addition and multiplication simultaneously. 
This would permit more manipulation of the plaintext by modifying the ciphertext. 
In fact, this would allow one without the secret key to compute any efficiently 
computable function on the plaintext when given only the ciphertext. In this chapter, 
we introduce fully homomorphic encryption (FHE) techniques, which allow one to 
evaluate both addition and multiplication of plaintext, while remaining encrypted. 
The concept of FHE was introduced by Rivest [14] under the name privacy 
homomorphisms. The problem of constructing a scheme with these properties 
remained unsolved until 2009, when Gentry [6] presented his breakthrough result. 
His scheme allows arbitrary computation on the ciphertexts and it yields the correct 
result when decrypted. This chapter begins with an introduction of FHE model and 
definitions, followed by the construction of FHE scheme over integers. 


3.1 Fully Homomorphic Encryption Definition 


Fully homomorphic encryption can be considered as ring homomorphism. In 
mathematics, a ring is a set R equipped with two operations + and x satisfying 
the following eight axioms, called the ring axioms. 

R is an abelian group under addition, meaning: 


1. (a +b)+c =a + (b + c) forall a,b,c in R (+ is associative). 

2. There is an element 0 in R such that a + 0 = a and O + a = a (0 is the additive 
identity). 

3. For each a in R there exists —a in R such that a + (—a) = (—a) + a = 0 (—a 
is the additive inverse of a). 

4. a+b =b +a forall a and b in R (+ is commutative). 


R is a monoid under multiplication, meaning: 
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5. (a-b)-c =a- (b-c) forall a,b,c in R ( is associative). 
6. There is an element 1 in R such that a-1 = a and 1-a = a (1 is the multiplicative 
identity). 


Multiplication distributes over addition: 


7. a-(b+c) = (a-b)+ (a-c) foralla,b,c in R (left distributivity). 
8. (b+ c)-a = (b-a)+(c-a) forall a,b,c in R (right distributivity). 
A ring homomorphism is a function between two rings which respects the 


structure. More explicitly, if R and S are two rings, then a ring homomorphism 
is a function 


f:R-S 
such that 
f(at+b)= fla) + f(b) (3.1) 
f(a-b) = f(a): fb) (3.2) 


for alla and b in R. 
Let us see an example of ring homomorphism. Consider the function 


f A Zə = Zə 
given by 
fŒ =x 


where x = Oor 1. 
First, 


fa +y) = ay =x Haayy S Hy = f(x) + O) 


where 2xy = 0 because 2 times anything is 0 in Z2. 
Next, 


f(xy) = (xy)? = xy = fS) 


The second equality follows from the fact that Z, is commutative. Thus, f is a 
ring homomorphism. 

Let (P, C, K, E, D) be a encryption scheme, where P,C are the plaintext and 
ciphertext spaces, K is the key space, and F, D are the encryption and decryption 
algorithms. Assume that the plaintexts form a ring (P, ®p, p) and the ciphertexts 
form a ring (C, c, 8c); then the encryption algorithm Æ is a map from the ring P 
to the ring C, i.e., Ep : P —> C, where k € K is either a secret key (in the secret 
key cryptosystem) or a public key (in the public-key cryptosystem). 
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For all a and b in P and k in K, if 


Ex (a) De Ex(b) = Ex(a ®p b) (3.3) 
Ex(a) 8e E; (b) = Ex(a &p b) (3.4) 


the encryption scheme is fully homomorphic. 


3.2 Overview of Fully Homomorphic Encryption Schemes 


Craig Gentry [6,7], using lattice-based cryptography, showed the first fully homo- 
morphic encryption scheme as announced by IBM on 25 June 2009. His scheme 
supports evaluations of arbitrary depth circuits. His construction starts from a 
somewhat homomorphic encryption scheme using ideal lattices that is limited to 
evaluating low-degree polynomials over encrypted data. It is limited because each 
ciphertext is noisy in some sense, and this noise grows as one adds and multiplies 
ciphertexts, until ultimately the noise makes the resulting ciphertext indecipherable. 
He then shows how to modify this scheme to make it bootstrappable—in particular, 
he shows that by modifying the somewhat homomorphic scheme slightly, it can 
actually evaluate its own decryption circuit, a self-referential property. Finally, he 
shows that any bootstrappable somewhat homomorphic encryption scheme can be 
converted into a fully homomorphic encryption through a recursive self-embedding. 

In the particular case of Gentry’s ideal-lattice-based somewhat homomorphic 
scheme, this bootstrapping procedure effectively “refreshes” the ciphertext by 
reducing its associated noise so that it can be used thereafter in more additions and 
multiplications without resulting in an indecipherable ciphertext. Gentry based the 
security of his scheme on the assumed hardness of two problems: certain worst-case 
problems over ideal lattices and the sparse (or low-weight) subset sum problem. 

Regarding performance, ciphertexts in Gentry’s scheme remain compact insofar 
as their lengths do not depend at all on the complexity of the function that is 
evaluated over the encrypted data. The computational time only depends linearly 
on the number of operations performed. However, the scheme is impractical for 
many applications, because ciphertext size and computation time increase sharply 
as one increases the security level. To obtain 2% security against known attacks, 
the computation time and ciphertext size are high-degree polynomials in k. Stehle 
and Steinfeld [16] reduced the dependence on k substantially. They presented 
optimizations that permit the computation to be only quasi-k>° per Boolean gate 
of the function being evaluated. 

In 2009, Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan 
[5] presented a second fully homomorphic encryption scheme, which uses many of 
the tools of Gentry’s construction, but which does not require ideal lattices. Instead, 
they show that the somewhat homomorphic component of Gentry’s ideal lattice- 
based scheme can be replaced with a very simple somewhat homomorphic scheme 
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that uses integers. The scheme is therefore conceptually simpler than Gentry’s ideal 
lattice scheme, but has similar properties with regard to homomorphic operations 
and efficiency. 

In 2010, Nigel P. Smart and Frederik Vercauteren [15] presented a fully 
homomorphic encryption scheme with smaller key and ciphertext sizes. The Smart- 
Vercauteren scheme follows the fully homomorphic construction based on ideal 
lattices given by Gentry [6]. It also produces a fully homomorphic scheme from a 
somewhat homomorphic scheme. For somewhat homomorphic scheme, the public 
and the private keys consist of two large integers (one of which shared by both 
the public and the private keys), and the ciphertext consists of one large integer. 
The Smart—Vercauteren scheme has smaller ciphertext and reduced key size than 
Gentry’s scheme based on ideal lattices. Moreover, the scheme also allows efficient 
fully homomorphic encryption over any field of characteristic two. However, the 
major problem with this scheme is that the key generation method is very slow. This 
scheme is still not fully practical. 

At the rump session of Eurocrypt 2011, Craig Gentry and Shai Halevi [8] 
presented a working implementation of fully homomorphic encryption (i.e., the 
entire bootstrapping procedure) together with performance numbers. 

Recently, Coron, Naccache, and Tibouchi [4] proposed a technique allowing 
to reduce the public-key size of the van Dijk et al. scheme to 600 KB. In April 
2013 the HElib [9] was released, via GitHub, to the open source community which 
implements the Brakerski-Gentry-Vaikuntanathan (BGV) homomorphic encryption 
scheme [1], along with many optimizations to make homomorphic evaluation runs 
faster. 


3.3 Somewhat Homomorphic Encryption Scheme 
over Integers 


Although interesting from a theoretical standpoint, the lattice-based construction is 
difficult to describe. We now move to a scheme that is easier to understand. It can 
be seen as the integer-based version of the lattice version. That is, we can embed 
an ideal into an integer ring, and if the parameters are set correctly, the scheme 
can be considered secure (against known attacks). As a bonus, the bootstrapping 
procedure is easier to understand and describe in greater detail, since it requires 
zero background with lattices. 


3.3.1 Secret Key Somewhat Homomorphic Encryption 


We begin with the description of the secret key integer-based somewhat homomotr- 
phic encryption scheme [5]. The scheme is surprisingly simple, and we can construct 
very complex functionality from it. 
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Key Generation KeyGen: The secret key is an odd integer, chosen from some 
interval p € [2"7!, 27]. 


Encryption Encrypt(pk, m): To encrypt a bit m € {0, 1}, set the ciphertext as an 
integer whose residue mod p has the same parity as the plaintext. Namely, set 


c = pqt2r+m (3.5) 


where the integers q,r are chosen at random in some other prescribed intervals, 
such as 2r is smaller than p/2 in absolute value. 


Decryption Decrypt(p, c): Given a ciphertext c and the secret key p, output 
m = (c(mod p))(mod 2) (3.6) 
The decryption equation holds because 


(c(mod p))(mod 2) = (pq + 2r + m(mod p))(mod 2) 
= 2r + m(mod 2) 


=m 
For example, suppose that p = 17; let us encrypt m = 1 as follows: 
c = pqt2r4+m=17-242-041=39 


where q = 2,r = 0. 
It is easy to see that 


(c(mod p))(mod 2) = (39(mod 17))(mod 2) 
l(mod 2) = 1 


Fully Homomorphic Property: Given two ciphertext c} = pq; + 2rı + mı and 
C2 = pq2 + 2r2 + m, we have 


cı + C2 = (qı +q2)p + 271 + r2) + (mı + m2) (3.7) 
C1 C2 = (pqig2 + 2qire + 2q2r1 + Mıq2 + Mm2q1) p 
+2(2riır2 + mır + mri) + mm (3.8) 
When 
ri+r < p/2 


2rir2 + mır + mor, < p/2 
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C,=17+2(1)+0=19 


C,=2(17)+2(2)+1=39 = 
Cı +C2=58 Let p=1 7 


p 2p | 3p | 4p 5p 6p 7p 8p 9p 10p 


4ip 42p 43p 44p 45p 46p 47p 48p 49p 50p 


Cı x C2=741 


Fig. 3.1 An example of homomorphic addition and multiplication 


we have 


(cı + co(mod p))(mod 2) = mı + m2 
(cı -¢2(mod p))(mod 2) = mim 


Therefore, this scheme has the fully homomorphic property. 
For example, set p = 17, mı = 0, and mz = 1. Then compute ciphertexts as 


cp = p-14+2-14+0=19 
Co = p-24+2-241=39 
where qi = 1,7) = 1,q2 = 2,12 = 2. Figure 3.1 plots these points on the number 


line. In addition to the position of the ciphertexts, it also shows the sum and product. 
It is easy to verify that 


(cı + co(mod p))(mod 2) = (58(mod 17))(mod 2) 
= 7(mod 2) 
=1=04+1l=m,4+m, 

(cı -Co(mod p))(mod 2) = (741(mod 17))(mod 2) 
= 10(mod 2) 


=0=0-1=m,:-m 
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However, when we use the fully homomorphic property to evaluate a Boolean 
function f (x1, X2,*** , Xn) where x; € {0,1}, given c;, the encryption of x;, for 
i = 1,2,--+ ,n, itis noticed in Eqs. (3.7) and (3.8) that 


rı + r2 > max(rı, r2) 


2rir2 + mır + mor, > max(rı, r2) 


that is, the size of the noise component r in the resulted ciphertext is increasing with 
the number of the additions and multiplications in the Boolean function. Once 


rı +r > p/2 


2riır2 + mır + mor, > p/2 


the decryption of f(c1,C2,*** ,Cn) may not be f(x1, X2,*** , Xn). Therefore, this 
scheme can be only used to evaluate low-degree Boolean functions over encrypted 
data. This is why this scheme is called somewhat homomorphic encryption scheme. 

If we choose r ~x 2”, p & 2” and q 7x 2”, the somewhat encryption scheme 
can compute polynomials of degree ~ n before the noise grows too large. 


Security: The security of this scheme can be reduced to the hardness of the 
approximate integer greatest common divisor (approximate GCD) problem [10]. 
As an example, we explain this in the more specific and familiar case of greatest 
common divisors. If we are given two integers a and b we can clearly find their 
GCD, d say, in polynomial time. If d is in some sense large then it may be possible 
to incur some additive error on either of the inputs a and b, or both, and still recover 
this GCD. This is what we refer to as an approximate common divisor problem. Of 
course if there is too much error incurred on the inputs, the algorithm may well not 
be able to discern the GCD d we had initially over some other approximate divisors 
d (e.g., they may all leave residues of similar magnitude when dividing a and b). 
In this sense, the problem is similar to those found in error correcting codes. 

Continuing this error correcting code analogy we can state the problem from 
the standpoint of the design of the decoding algorithm, i.e., we wish to create an 
algorithm which is given two inputs ao and bọ and bounds X, Y, and M for which 
one is assured that d|(aọ + xo) and d|(bo + yo) for some d > M and xo, yo 
satisfying |xo| < X, |yo| < Y . The output of the algorithm should be the common 
divisor d, or all of the possible ones if more than one exists. 

Howgrave-Graham analyzed the (approximate GCD) problem in [10]. The 
problem is believed to be a hard problem in lattice theory. 

With a judicious choice of parameters (e.g., r ~ 2v" and q ~ 2”), the secret 
key somewhat homomorphic encryption scheme is even secure. 
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3.3.2 Public-Key Somewhat Homomorphic Encryption 


The secret key somewhat homomorphic encryption needs the secret key p to encrypt 
a message. Now we describe a public-key somewhat homomorphic encryption 
scheme [5] that allows encryption without the knowledge of the secret p. 


Parameters: The scheme has many parameters, controlling the number of integers 
in the public key and the bit-length of the various integers. Specifically, we use the 
following four parameters (all polynomial in the security parameter A): 


y is the bit-length of the integers in the public key; 

n is the bit-length of the secret key (which is the hidden approximate GCD of all 
the public-key integers); 

p is the bit-length of the noise (i.e., the distance between the public-key elements 
and the nearest multiples of the secret key); 

T is the number of integers in the public key. 


These parameters must be set under some constraints [5]. A convenient parameter 
set to keep in mind is p = A, p’ = 2A,n = O(A”), y = O(A?), and t = y +A. 
The setting results in a scheme with complexity O(A!°). 


Key Generation KeyGen(A): Choose a random 7-bit odd integer p as the private 
key. Using the private key, generate the public key as 


Xi = pqi + ïi (3.9) 
where q; € Z()\[0,2”/p) and r; € Z{)(—2?,2°) are chosen randomly, for 
i = 0,1,--- , 7. Relabel so that xo is the largest. Restart unless xo is odd and 
Xo(mod p) is even. The public key is 


pk =< Xo, X2, , Xr > 


Encryption Encrypt(pk,m): Given m € {0,1} and the public key pk, choose 


a random subset S C {1,2,---,t} and a random integer r € 2”, 20°), and 
output 
c= (m+ 2r +29 x;)(mod Xo) (3.10) 
ieS 


Decryption Decrypt(sk,c): Given the ciphertext c and the private key p, output 
m = (c(mod p))(mod 2) (3.11) 


Recall that 


c(mod p) =c— p-[c/p| 


3.3 Somewhat Homomorphic Encryption Scheme over Integers 55 


where [a] denotes the rounding to the nearest integer. As p is odd, we can instead 
decrypt using the formula 


m = (c— p : [c/p]) (mod 2) 
= (c(mod 2)) ® ({c/ p|(mod 2)) (3.12) 


where p(mod 2) = 1. 


Example. Let the secret key be p = 10001. Based on p, we construct the public 
key as follows. 
Set 


(G0. q1; 92. 93] = [36, 27, 34, 6] 
[ro. r1, r2, r3] = [8, 5, 4, 2] 


We then compute the public key pk as the vector 
[xo, x1, X2, x3] = [360044, 270032, 340038, 60008] 


where x; = qi p + r; and Xo is the largest. 

We now encrypt two messages m; = 0,m = 1 using a random subset of the 
public key. Suppose that the subset is S = [1, 3]. We select a random integer r = 31 
and encrypt m; as: 


a =m +2r +2: xi 
ies 
= 0 + 2-31 + 2- (270032 + 60008) 
= 660142 


For the sake of compactness, it is useful to reduce the ciphertext by xo as 
c| = cı(mod xo) = 300098(mod 360044) 


We encrypt mz using the same process. We set r = 11 and S = [2, 3]. 


Cy =m 4+2-r$2-)° x; 
ies 
= 1 +2.11 + 2- (340038 + 60008) 


800115 


II 


Again, for the sake of compactness, we reduce the ciphertext by xo as 


c, = ca(mod xo) = 80027(mod 360044) 
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As expected, these ciphertexts are decrypted correctly as shown by the following 
equations: 


cy = 300098 = 68(mod p) = 0(mod 2) 
cy = 80027 = 19(mod p) = 1(mod 2) 


In addition, 


c! + ch, = 300098 + 80027 = 87(mod p) = 1(mod 2) =0+1 
c! «ch = 300098 - 80027 = 1292(mod p) = 0(mod 2) = 0-1 


Correctness: van Dijk et al. [5] provided the proof of correctness for the public- 
key somewhat homomorphic encryption scheme by some lemmas as follows. 


Lemma 3.1 ([5]). Let (sk, pk) be output by KeyGen(A). Let c = Encrypt(pk, m) 


form € {0, 1}. Then c = a- p + (2b +m) for some integers a and b with |2b+m| < 
cer, 


Proof ({5]). By definition, c = m + 2r + )o;e5 Xi(mod xo). Since |xo| > |x;| for 
i = 1,2,--- ,t, we have that 


c= (mar Ea) +h 


ieS 


for some |k| < Tt. 
For every 7, there exist integers q; andr; with |r;| < 2° such that x; = q;-p+2r;. 
We have 


c= p (kao + Za) + (m +2r+k-2n + 72n) 


ieS ieS 


Regarding the rightmost term, its parity is the same as m, and its absolute value 
is at most (4t + 3)2° < 12°*3, o 


For a mod-2 arithmetic circuit (composed of mod-2 Add and Mult gates), let us 
consider its generalization to the integers, i.e., the same circuits with the Add and 
Mult gates applied to integers rather than to bits. A permitted circuit [5] is defined 
as one where for any œ > 1 and any set of integer inputs all less than 220 +2 in 
absolute value, it holds that the generalized circuit’s output has absolute value at 
most 277-4), 


Lemma 3.2 ([5]). Let (sk, pk) be output by KeyGen(A). Let C be a permitted 
circuit with t inputs and one output. Fori € {1,2,---,t} and m; € {0,1}. Let 
ci = Encrypt(pk,m;) and m = C(m,,mz,--- ,m;) and c = C’ (c1, C2,- Cr) 
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where C’ is the generalized circuit corresponding to C. Then c = a - p + (2b + m) 
for some integers a and b with |2b + m| < p/8. 


Proof ([5]). Generally, we have 
C' (c1, c2, c1) € C'(2b1 + mi, , 2b, +m) + pZ 


So C’(2b; + m,--:,2b; + m;)(mod p) has the same parity as m = 
C (mı, m2, ++- ,m;). We also have that 


C'(2b; + m,+++ 2b, + m,) < 2"/16 < p/8 


by the definition of permitted circuits, since |2b; + m;| < T2°+? by Lemma 3.1. O 


Based on Lemmas 3.1 and 3.2, we can see that for any permitted circuit C and 
any encryptions of inputs to that circuit, the integer output by the evaluation is of 
the form 


c=a-p+(2b4+m) 
with 
[2b + m| < p/8 
where m is the plaintext that c is supposed to encrypt. Accordingly, we have 
(c(mod p))(mod 2) = (2b + m)(mod 2) =m 


Therefore, the public-key somewhat homomorphic encryption scheme can cor- 
rectly evaluate any permitted circuit. 

The definition of the permitted circuit is rather indirect. In particular, this 
definition does not give a good picture of what a permitted circuit looks like. 
By the triangle inequality, a k-fan-in Add gate clearly increases the magnitude of 
the integers by at most a factor of k. However, a 2-fan-in Mult gate may square 
the magnitude of the integers—i.e., double their bit-lengths. So, clearly, the main 
bottleneck is the multiplicative depth of the circuit, or the degree of the multivariate 
polynomial computed by the circuit. 


Lemma 3.3 ([5]). Let C be a Boolean circuit with t inputs and C* be the asso- 
ciated integer circuit (where Boolean gates are replaced with integer operations). 
Let f (x1, %X2,°++ , X+) be the multivariate polynomial computed by C* and d be its 
degree. If | f |- (2° +?)4 < 2"-4 (where | f | is the £; normal of the coefficient vector 
of f ), then C is a permitted circuit. 
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In particular, the somewhat homomorphic encryption scheme can handle f as 
long as 


g< 1274 llf] 
= 


Security: Like the secret key homomorphic encryption scheme, the security 
of the public-key somewhat homomorphic encryption scheme is also based on 
approximate-GCD problem. 

Consider the approximate-GCD instance {xo, X1,--+ ,x;} where x; = pqi + ri. 
Known attacks on the approximate-GCD problem for two numbers include brute- 
forcing the reminders, continued fractions, and Howgrave-Graham’s approximate- 
GCD algorithm [10]. 

A simple brute-force attack is to try to guess rı and r2 and verify the guess with 
a GCD computation. Specifically, for r{, r4 € (27°, 2°), set 


f / — / ifs = 1 / 
Xi = X1 ri X = X2 — r3, p = GCD(xj, Xp) 


If p’ has 7 bits, output p’ as a possible solution. The solution p will definitely be 
found by this technique, and for the parameter choices, where p is much smaller 
than 7, the solution is likely to be unique. The running time of the attack is 
approximately 27°. 

Attacks for arbitrarily large values of ¢ include lattice-based algorithms for 
simultaneous Diophantine approximate [11], Nguyen and Stern’s orthogonal lattice 
[13], and extensions of Coppersmith’s method to multivariate polynomials [2]. 


3.4 Fully Homomorphic Encryption Scheme over Integers 


In this section, we describe the construction of a fully homomorphic encryption 
scheme given by van Dijk [5]. It is built on the somewhat homomorphic encryption 
scheme described in the last section and squashing the decryption circuit. 


3.4.1 Squashed Encryption 


Let x,0, © be three more parameters, which are a function of A. We set kK = 
yn/p',@ = A, and © = w(K - logd). For a secret key sk* = p and public key 
pk* from the original somewhat homomorphic scheme, we add to the public key a 
set y = {y1, ¥2,--: , Yo} of rational numbers in [0,2) with « bits of precision, such 
that there is a sparse subset S C {1,2,--- , ©} of size 0 with 
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x yi © 1/p(mod 2) 
ieS 


Now the secret key is replaced by the indicator vector of the subset S. The 
encryption scheme is modified by van Dijk [5] as follows. 


Key Generation KeyGen(A): Generate sk* = p and pk* as before. Set x» = 


[2“/p], choose at random a @-bit vector (s1, 52,--- , So) with Hamming weight 
0, and let S = {i : s; = 1}. 
Choose at random integer u; € Z N [0,2*t'), i = 1,2,--- ,©, subject to the 


condition that 
X u = x (mod gerry 
ieS 


Set y; = u;/2* and y = {y1, yo,--: , Yø}. Hence, each y; is a positive number 
smaller than 2, with « bits of precision after the binary point. Also we have 


9 vilmod 2) = (1/p) — Ap 
ies 
for some |A,| < 2~* because 
de = Dow /2* 
ies ieS 
= (xp ta-2*t!)/2* 
= Xx,)/2 +a-2 
[2“/p]/2* +a-2 
(/p—A/2*)+a-2 
= 1/p—A,(mod 2) 


II 


where |A| < 1. 
Output the secret key sk = S and the public key {pk, y}. 
Encryption Encrypt(pk,c*): Given a ciphertext c*, fori € {1,2,--- , O}, set 


zi = c*-y;(mod 2) 


keeping only n = [log 0] + 3 bits of precision after the binary point for each z;. 
Output both c* and z = {z, Z2,--- , Zo}. 

Decryption Decrypt(sk, c*,z): Given the ciphertext c*, z and the private key p, 
output 
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m= (e - baa) (mod 2) (3.13) 
ieS 


Correctness: van Dijk et al. [5] provided the proof of correctness for the squashed 
encryption by the following lemma. 


Lemma 3.4 ([5]). The squashed encryption scheme is correct for permitted poly- 
nomials. Moreover, for every ciphertext (c*,z) that is generated by evaluating a 
permitted polynomial, it holds that X`; sizi is within 1/4 of an integer. 


Proof ([5]). Fix public and secret keys, generated with respect to security parameter 
A with y = {y\,¥2,---, Ye} the rational numbers in the public key and S = 


{i : s; = 1} the secret key bits. Recall that the y; were chosen so that 
Dies Vi(mod 2) = (1/p) — A, where |A,| < 2™. Oo 

Fix a permitted polynomial P (x1, x2,--- , X1), given t ciphertexts c1, C2,*** ,C;, 
let c* = P(cj,C2,++* ,C;), we need to establish that 


[c*/p] = bed (mod 2) 


where z; is computed as c* - y;(mod 2) with only [logy] + 3 bits of precision after 
the binary point, so c* - y;(mod 2) = z; — A; with |A;| < 1/160. We have 


(c*/p) — 9) sizi(mod 2) = (c*/p) — > si(c*- yi) + Ai (mod 2) 


= (c*/p) —c* Y siyi + Xs: (mod 2) 


II 


(c*/p)—c*(1/p— Ay) + X 5; Ai (mod 2) 


II 


c*- Ap + X s;4i (mod 2) 


To establish the claim, observe that pa siái] < 0- w = 1/16. Regarding 
c*- Ap, recall that the output ciphertext c* is obtained by ae the polynomial 
P on the input ciphertexts c; (as if P was an integer polynomial). By the definition 
of a permuted polynomial, for any œ > 1, if P’s inputs have magnitude at most 
2%(°'+2). its output has magnitude at most 2%07®, In particular, when P’s inputs 
are “fresh” ciphertext, which have magnitude at most 2”, P’s output ciphertext c* 
has magnitude at most 2”-/('+2) < 24, Thus, |c* - A,| < 1/16. Together, 
we have c* - A, + )°, 5; A;(mod 2) that has magnitude at most 1/8 and therefore 


[e*/p] = È; aana 2). 
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By definition, since c* is a valid ciphertext output by a permitted polynomial, the 
value c*/p is within 1/8 of an integer. Together, it holds that $`; s;z; is within 1/4 
of an integer. 


Security: Like the original somewhat encryption scheme, the security of the 
squashed encryption scheme is still based on the approximate-GCD problem. 
Besides it, putting the hint y = {y1, y2,--- , yo} in the public key induces another 
computational assumption, related to the sparse subset sum problem (SSSP) used 
by Gentry [6], and studied previously (sometimes under the name “low-weight” 
knapsack) in the context of server-aided cryptography [12] and in connection to 
Chor-Rivest cryptosystem [13]. 

The subset sum problem is an important problem in complexity theory and 
cryptography. The problem is this: given a set of integers, is there a nonempty 
subset whose sum is zero? For example, given the set {—7, —3, —2, 5, 8}, the answer 
is yes because the subset {—3, —2, 5} sums to zero. The problem is NP-complete. 
An equivalent problem is this: given a set of integers and an integer s, does any 
nonempty subset sum to s? Subset sum can also be thought of as a special case of 
the knapsack problem. 

Known attacks on the problem can be easily avoided by choosing 0 large enough 
to avoid brute-force attacks (and improvements using time-space trade-off) and 
choosing @ to be larger than w(log À) times the bit-length of the rational numbers 
in the public key (which have length «). 


Example. Let the secret key be p = 10001. Set k = 24 and 
xp = [2”/p] = 1678 
and choose at random 9-bit vector with Hamming weight 3, s = {0,0, 1,0,0, 1,0, 1, 


0}, and let S = {3,6,8}. Choose at random integers u; € Z N [0,2%),i = 
1,2,--- ,9 as follows: 


uy = 281782 
u2 = 1892147 
u3 = 589103 
u4 = 487403 
us = 491831 
uş = 1093482 
u7 = 293813 


ug = 31873525 
ug = 5718711 
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where 


Sou; = u + us + us 


ieS 


Set y; = uj /2",i = 1,2,--- , 9 as follows: 


where 


ieS 


yı = 0.0167955 
y2 = 0.1127807 
y3 = 0.0351133 
y4 = 0.0290515 
ys = 0.0293154 
yo = 0.0651766 
y7 = 0.0175126 
yg = 1.8998101 
0.3408617 


y9 


XO yi = ys + yo+ ys 
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= 589103 + 1093482 + 31873525 
= 1678 = x,(mod 2”) 


= 0.0351133 + 0.0651766 + 1.8998101 
= 2.0001 = 1/p(mod 2) 


Given a ciphertext c* = 300098 which is the encryption of 0, to re-encrypt c*, 
we compute z; = c* - y;(mod 2),i = 1,2,--- ,9 as follows: 


zı = 0.295959 
Z2 = 1.2625086 
z3 = 1.4311034 


z4 = 0.297047 
zs = 1.4929092 
Z = 1.3673068 


z7 = 1.4962348 
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zs = 1.2113898 
Zo = 1.9144466 


Let z = {z1, Z2,--+ , Zo}; the re-encryption takes the form of (c*, z). 
For decryption, we compute 


c* — p a| = 30098 — [z3 + z6 + zs] 


iES 
= 300098 — [1.4311034 + 1.3673068 + 1.2113898] 
= 300098 — [4.0098] 
= 300094 = 0(mod 2) 


The decryption result is the same as the original plaintext bit 0. 


3.4.2 Bootstrappable Encryption 


Now let us construct homomorphic encryption for circuits of any depth from 
somewhat homomorphic encryption, which is capable of evaluating just a little more 
than its own decryption circuit. 


Definition 3.5 (Augmented Decryption Circuit [5]). Let € be an encryption 
scheme, where decryption is implemented by a circuit that depends only on the 
security parameter. 


For a given value of the security parameter A, the set of augmented decryption 
circuits consists of two circuits; both take as input a secret key and two cipher- 
texts: 


e The circuit decrypts both ciphertext and adds the resulting plaintext bits mod 2; 
e The circuit decrypts both ciphertext and multiplies the resulting plaintext bits 
mod 2. 


Definition 3.6 (Bootstrappable Encryption [5]). Let € be ahomomorphic encryp- 
tion scheme. We say that € is bootstrappable if its augmented decryption circuits are 
permitted circuits for every value of the security parameter A. 


Theorem 3.7 ([5]). The squashed encryption scheme € is bootstrappable. 


The details of the theorem proof can be found in [5]. 

To reduce the ciphertext size during evaluation, van Dijk et al. [5] added to the 
public key more elements of the form x; = q! p + 2r; where r; is chosen as usual 
from the interval (2~?, 2°) but q; are chosen much larger than for the other public- 
key elements. Specifically, fori = 0,1,--- , y, set 


64 3 Fully Homomorphic Encryption 


q; EZA [2T p, 2 /p), ri € ZA (27, 2°), x; = 2(q)- p + ri) 


thus getting xj € [27+ , 2Y+i+1], 

During evaluation, every time we have a ciphertext that grows beyond 2”, we 
reduce its first modulo Xis then modulo x1 and so on all the way down to Xos at 
which point we again have a ciphertext of bit-length no more than y. 

Recall that a single operation at most doubles the bit-length of the ciphertext. 
Hence after any one operation the ciphertext cannot be larger than 2x; and therefore 
the sequence of modular reductions involves only small multiples of the x;, which 
means that it only adds a small amount of noise. 

It is not clear to what extent adding these larger integers to the public key 
influences the security of the scheme. 

Fully homomorphic encryption (FHE) allows a worker to perform implicit 
additions and multiplications on plaintext values while exclusively manipulating 
encrypted data. The fully homomorphic scheme proceeds in several steps. First, 
one constructs a somewhat homomorphic encryption scheme, which only supports 
a limited number of multiplications: ciphertexts contain some noise that becomes 
larger with successive homomorphic multiplications, and only ciphertexts whose 
noise size remains below a certain threshold can be decrypted correctly. The second 
step is to squash the decryption procedure associated with an arbitrary ciphertext so 
that it can be expressed as a low-degree polynomial in the secret key bits. Then, 
the key idea, called bootstrapping, consists of homomorphically evaluating this 
decryption polynomial on encryptions of the secret key bits, resulting in a different 
ciphertext associated with the same plaintext, but with possibly reduced noise. This 
refreshed ciphertext can then be used in subsequent homomorphic operations. By 
repeatedly refreshing ciphertexts, the number of homomorphic operations becomes 
unlimited, resulting in a fully homomorphic encryption scheme. 


Theorem 3.8 ([6]). There is a (efficient, explicit) transformation that given a 
description of a bootstrapped encryption scheme € and a parameter d = d(À) 
where À is the security parameter, output a description of another encryption scheme 
€ such that «© is homomorphic for all circuits of depth up to d. 


3.4.3 Implementation 


A fully homomorphic encryption scheme [5] that uses only simple integer arithmetic 
is described as above. The primary open problem is to improve the efficiency of 
the scheme, to the extent that it is possible while preserving the hardness of the 
approximate-GCD problem. 

Gentry and Halevi [8] implemented the Gentry’s fully homomorphic encryption 
scheme [6]. The performance can be found in [8]. 

Coron et al. [3] extended the fully homomorphic encryption scheme over the 
integers of van Dijk et al. (DGHV) [5] to batch fully homomorphic encryption, 
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Table 3.1 Parameters of batch DGHV scheme 


Instance |A |£ p |n y x10 |r lo pk size 
Toy 42 | 10 |26 988 |0.29 188 150 | 647kB 
Small 52 | 37 |41 | 1,558 | 1.6 661 555 | 13.3 MB 
Medium | 62 | 138 |56 | 2,128 | 8.5 2,410 | 2,070 | 304MB 
Large 72 |531 |71 | 2,698 | 39 8,713 | 7,965 | 5.6GB 


Table 3.2 Performance of batch DGHV scheme 


Instance | KeyGen | Encrypt | Decrypt | Mult Expand | Recrypt 


Toy 0.06s |0.02s los 0.003s |0.007s | 0.11s 
Small 1.74s 0.23 s 0.02s 0.025s |0.08s 1.10s 
Medium |73s 3.67 s 0.45s 0.16s |1.60s 11.9s 
Large 3493 s 6ls 9.85s 0.72s |28s 172s 


i.e., to a scheme that supports encrypting and homomorphically processing a vector 
of plaintext bits as a single ciphertext. They also implemented the batch DGHV 
scheme, based on a C++ implementation using the GMP library. Tables 3.1 and 3.2 
list concrete key sizes and timings for their batch DGHV scheme. 

For all security levels, n = 4 and 0 = 15. In addition, £ is the length of the 
vector for parallel processing. 
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Chapter 4 
Remote End-to-End Voting Scheme 


Abstract Recently, remote voting systems have gained popularity and have been 
used for government elections and referendums in the United Kingdom, Estonia, and 
Switzerland as well as municipal elections in Canada and party primary elections 
in the United States and France. Current remote voting schemes assume either the 
voter’s personal computer is trusted or the voter is not physically coerced. In this 
chapter, we describe a remote end-to-end voting scheme [23], in which the voter’s 
choice remains secret even if the voter’s personal computer is infected by malware 
or the voter is physically controlled by the adversary. Based on homomorphic 
encryption, the overhead for tallying in such scheme is linear in the number of 
candidates. Thus, such scheme is practical for elections at a large scale, such as 
general elections. 


4.1 Introduction 


Essentially, an end-to-end voting system can be envisioned as a decryption network 
composed of a collection of election authorities. The network takes as input a 
collection of encrypted ballots (posted publicly by voters) in one end and outputs 
in another end the tally of votes (posted publicly by the authorities) with a 
mathematical proof that the encrypted ballots were decrypted properly and that the 
votes were unmodified. Informally, an end-to-end voting system achieves integrity 
if any voter can verify that his or her ballot is included unmodified in a collection of 
ballots, and the public can verify that the collection of ballots produces the correct 
final tally, and the system keeps privacy if no voter can demonstrate how he or she 
voted to any third party. 

So far, there have been two main categories of end-to-end voting schemes— 
polling station voting schemes and remote voting schemes. 

Polling station voting schemes, such as [1,11,17,20,22], build their security on an 
untappable channel implemented as a private voting booth at a polling place, where 
a voter can cast his or her ballot in private. Thus, risk of voter coercion and vote 
buying can be greatly mitigated. These schemes require a voter to vote in person at 
a polling station on election days. This may not be convenient for those voters who 
have no access to any polling station on election days, e.g., overseas citizens and 
military voters. 
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Remote voting schemes, such as [4, 7, 10, 15], allow people to cast their votes 
over the Internet, most likely through a Web browser, from home, or possibly any 
other location where they have Internet access. While voting of this kind is hoped 
to encourage higher voter turnout and makes accurate accounting for votes easier, 
it also carries the potential of making abuse easier to perform, especially at a large 
scale [15]. One challenge to remote voting is how to prevent voter coercion and vote 
buying because the behavior of a voter casting a ballot remotely can be physically 
controlled by an adversary. Another challenge is how to ensure the remote personal 
computer by which a voter casts his or her vote is trusted because malware can 
endanger integrity of the elections as well as privacy of the voter [16]. 

The first voting scheme was introduced by Chaum [4], based on a mix network, 
where a collection of tally authorities take as input a collection of encrypted votes 
and output a collection of plain votes according to a secret permutation. This scheme 
allows each voter to make sure his or her vote was counted, while preserving the 
privacy of the vote as long as at least one tally authority is honest. In order to 
improve efficiency in tallying, Cohen (Benaloh) and Fischer [8] proposed a voting 
scheme, based on a homomorphic encryption E, where E(x) E(y) = E(x + y) for 
any x and y in its domain. The basic idea is for each voter to encrypt his or her vote 
using a public-key homomorphic encryption function. The encrypted votes are then 
summed using homomorphic property without decrypting them. Finally, a collection 
of tallying authorities cooperate to decrypt the final tally. This scheme also preserves 
the privacy of votes as long as at least one tally authority is honest. In order to 
provide with unconditional privacy of votes, Fujioka et al. [10] proposed a voting 
scheme, based on blind signature, where a signer can digitally sign a document 
without knowing what was signed. The basic idea is that the voter has his or her 
ballot blindly signed by the voting authority and later publishes the ballot using an 
anonymous channel. Current voting schemes are based on either mix network, or 
homomorphic encryption, or blind signature. 

The notion of receipt-freeness was first introduced by Benaloh and Tuinstra [2] 
to model the security of a voting scheme against voter coercion and vote buying. A 
voting scheme is receipt-freeness if a voter cannot prove to an attacker that he or 
she voted in a particular manner, even if the voter wishes to do so. Receipt-freeness 
voting schemes, such as [2, 13,21], assume the existence of a private voting booth 
to isolate the voter from the coercer at the moment he or she casts his or her vote. 
Remote voting schemes are required to be coercion resistant where the voter can 
be physically controlled by the adversary during voting. A rigorous definition for 
coercion resistance was given by Juels et al. [15]. This model considers a powerful 
adversary who can demand coerced voters to vote in a particular manner, abstain 
from voting, or even disclose their secret keys. A voting scheme is coercion resistant 
if it is infeasible for the adversary to determine if a coerced voter compiles with 
the demands. Intuitively, coercion resistance implies receipt-freeness which itself 
implies privacy. 

A coercion-resistant remote voting scheme was demonstrated by Juels et al. 
[15]. The basic idea is that each voter casts his or her ballot together with a 
secret credential, both encrypted by the public keys of the tally authorities. After 
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a collection of encrypted ballots are mixed with a mix network such as [12, 14, 18], 
the validity of ballots (i.e., the validity of credentials) is checked blindly against 
the voter roll and only valid ballots are decrypted and counted. This scheme does 
not require an untappable channel for a voter to cast his or her ballot, but instead 
assumes an untappable channel for a voter to obtain a secret credential from the 
registrars during registration (potentially using post mail). 

Current coercion-resistant remote voting schemes, such as Juels et al.’s scheme 
[15] and its variants [7], require public-key encryptions on the side of the voter. 
Thus, they require the voter to trust the personal computer actually casting the ballot 
on his or her behalf. Considering that the voter’s personal computer can be infected 
by malware that may reveal the voter’s preferences or even change the encrypted 
ballot cast by the voter, Kutylowski and Zagorski [16] recently proposed a remote 
voting scheme, a combination of paper-based voting schemes Punchscan [5] and 
ThreeBallot [20]. The basic idea is that a voter makes a complete ballot by laying 
a ballot and a coding card side by side. Each voter is issued exactly one ballot by 
the election authority and she or he can get a coding card from any proxy. This 
scheme preserves privacy of votes if both authorities do not collude. Even if the 
voter’s personal computer is infected by viruses, his or her choice remains secret. 
This scheme does not allow a voter to prove how he or she voted unless vote casting 
is physically supervised by an adversary. 

Current remote voting schemes assume either the voter’s personal computer is 
trusted to cast a vote or the voter is not physically controlled by the adversary. In 
this chapter, we describe a remote voting scheme [23], in which the voter’s choice 
remains secret even if the voter’s personal computer is infected by malware or 
the voter is physically controlled by the adversary. The presentation is based on 
the paper by Yi and Okamoto [23]. 

The approach by Yi and Okamoto is motivated by the most efficient voting 
scheme by Hirt and Sako [13] based on homomorphic encryption. The main 
difference between the approach by Hirt and Sako and the one presented in the 
chapter is that Hirt and Sako assume the availability of an untappable channel 
between the voter and the authorities during voting while the approach described 
in this chapter requires the untappable channel during voter registration only. 

Consider an election where the candidates are {C,, Cz,--- , Cne } and the choice 
for each candidate is either “Yes” or “No”; their basic idea can be described 
as follows. First of all, a voter V; generates a public/private key pair for digital 
signature scheme on his or her own device. During registration, V; presents himself 
or herself to a registrar’s office, where he or she is allowed privately to input nc 
references r;,; (€ {1,—1}) on a trusted entry device (like setting PIN number in 
a bank branch), which, in turn, encrypts each g”/ with the public keys of tally 
authorities according to ElGamal encryption scheme [9] where g is a generator 
of a cyclic group G and then posts on a public bulletin board the ciphertexts 
E(g"/) = (Aij, Bi j) (each corresponds to one candidate C;) along with the 
voter’s public key. During voting, V; posts on the public bulletin board his or her 
ballot composed of 6; € {1,—1} (j = 1,2,-++: ,mc) and his or her signature on 
it, where 6; = 1 if the choice of V; is the same as his or her reference r; j and 
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B; = —1 otherwise. During tallying, the tallying authorities sum (A; j Pi By. j Bi) 
for each candidate C; and then cooperate to decrypt the final tally. 

Compared to most of existing remote voting schemes, the scheme described in 
this chapter has three merits as follows: (1) no encryption is needed during voting 
and the ballot cast by a voter is “plain”; thus, any voter can verify that his or her 
ballot is included unmodified; (2) no mix network is needed during tallying and the 
tallying overhead is linear in the number of candidates; therefore it is practical for 
elections at a large scale; (3) verifiability remains even if all election authorities are 
corrupt. 

In addition, this scheme allows a voter repeatedly to refresh his or her references 
remotely after he or she registers and to use refresh references for a new election. 
Privacy is built on voter registration protected by a untappable channel. 


4.2 Remote End-to-End Voting 
4.2.1 Participating Parties 


Assume that there exists a publicly readable, insert-only bulletin board (6B) on 
which public information (e.g., public keys, ballots, and final tally) is posted. No 
one can overwrite or erase existing data on BB. The public (including voters) can 
read the contents of BB anytime. 

Normally, the remote voting scheme involves three types of participants as 
follows: 


e Registrar (R) authorizes voters for an election by posting each voter’s identity 
and public information on BB. 


e Voters (V1, V2,**: , Vny) are the entities participating in the election adminis- 
trated by R. 

¢ Tallying authorities (71, 72,--- , Tanp) process ballots, jointly count votes, and 
publish the final tally. 


4.2.2 Basic Remote Voting Scheme 


We now introduce a basic remote voting scheme, where there is only one candidate, 
and the choice of the election is either “Yes” or “No.” 


Setup: The scheme is built on ElGamal (homomorphic and threshold) encryp- 
tion scheme (ES) [9], the modified ElGamal signature scheme (SS) [19], the 
non-interactive zero-knowledge reencryption proof (ReencPf) [3, 13], and the 
non-interactive zero-knowledge equal discrete logarithm proof (EqDlog) [6], over 
a group G of a large prime order q with a generator g. 
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Let the choices of the election be C = {1, —1}, where 1, —1 stand for “Yes” and 
“No,” respectively. 

Let the list of tallying authorities be T = {71, 72,--+ , Tar}. Each 7; randomly 
chooses a private key TSK; = t; from Zi and computes the public key 


TPK; = g" (4.1) 


Let TSK = {ti, t2, tnp} and TPK = {g",g”,--- ,g"T}. Let h be chosen 
from a family of collision-resistant hash functions. 

At last, the registrar posts 2 = {R, ES, SS, ReencPf, EqDlog, (G, q, g), h, C, 
T, T PK, V} on the public bulletin board BB. 


Registration: Before registration, each voter V; generates a public/private key pair 
(sk; = xi, pk; = g“) for the signature scheme SS on his or her own device and 
prints out the public key pk; and the hash value h(pk;) on paper. The purpose of 
using a hash function is to facilitate human checking. 

To vote, a voter V; presents himself or herself to a registrar’s office, where V; is 
allowed privately to press Yes or No button on a trusted entry device, which, in turn, 
encrypts g or g7! accordingly, and then prints out the hash value h(R;) on a slip, 
where R; = (A;, Bi) is an encryption of either g or g~!. Let 


nT Yi 
ri = 1, A4; = g”, Bi = e (17x) 


t=1 


if press Yes, and let 


NT Yi 
7; = -1,A; = g" , Bi = g! (i rox 
t=1 


if press No, where y; is randomly chosen by the device from Zi Therefore, R; 
is an encryption of g". The voter V; needs to remember his or her reference rj. 
Having seen h(R;) on the slip, the voter V; is allowed to confirm his or her choice 
by pressing “Confirm” or “Cancel” button on the device, like [1, 16]. 

If Vi presses “Cancel,” the device prints out r;, y;, R; on the slip for V; to check 
if r; is his or her choice. In this case, the staff in the registrar’s office tears off the slip 
and provides a handwriting signature on it. V; either keeps the slip for anyone later 
to check or inserts the slip into a locked box placed in the registrar’s office for the 
election inspector with key later to check. Then the registration restarts. Note that 
anyone can check if R; on the slip is computed correctly with r;, yi, TPK without 
the knowledge of private keys of tallying authorities. 

If the voter V; presses “Confirm,” the device scans his or her identity (denoted 
as V; as well) from his or her identity card and his or her public key pk; from his 
or her paper and then computes the hash value h(pk;) and prints out V;, A( pki) on 
the slip. The voter needs to check if the hash value h(pk;) on the slip is the same as 
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that on his or her paper. At last, the device provides non-interactive zero-knowledge 
reencryption proof P; (using ReencPf) that R; is a reencryption of either (1, g) or 
(1,271), posts V;, pki, h(pk;), Ri, h(R;), P; on BB, and then erases r;, y; from its 
memory. The staff tears off the slip with A(R;), V;, (pk; ), provides a handwriting 
signature on it, and then hands it to the voter. 

Let the list of registered voters be V = {V1, V2,--+ , Vn}. For each V;, there is 
a row 


(Vi, pki, h(pki), Ri, h(R;), Pi) 


on BB. 


Voting: The registrar R announces the candidate on BB. Each V; chooses his or 
her vote v; from C = {1, —1} and determines ĝ; as follows: If v; = r;, then 6; = 1. 
If v; Æ ri, then f; = —1. Note that V; remembers his or her reference r;. 

Next, V; generates a signature on 6; (using SS) as follows: 


S = gi (4.2) 
T; = (H(Bi, Si) — S:xi)8;—' (mod q) (4.3) 
where 6; is randomly chosen from Z*, H is a hash function, and x; is the private 
key of Vi. Note that a time stamp may be included in the message to be signed to 


prevent replaying attacks. 
Then, V; constructs a ballot 


bi = {Pi, Si, Ti} 
and casts it to R, which, in turn, posts b; next to V; on BB if 
gP PES) = pke si (4.4) 


The voter V; checks if b; on BB is the same as that he or she casts. 
Tallying: To tally all valid ballots posted on BB, T performs the following steps: 


1. Combining: Based on the homomorphic property of ElGamal encryption 
scheme, all valid ballots {b;}/", on BB can be combined as follows: 


ny 
Xr =] [4* (4.5) 
i=l 
ny 
Yr =| | BP (4.6) 


i=l 
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2. Decrypting: Following the threshold ElGamal encryption scheme, each tally 
authority 7; computes 


x; = xi (4.7) 


and posts X; on BB. With {X;}/",, one can compute 


ny ny ny 
Yr I] x} = [[s"* = [[s" = gv 


i=l i=l i=1 
where y, n are the numbers of “Yes” and “No” and 
yt+tn=ny (4.8) 


Since ny is a small number relative to q, y can be determined from g?27—"V = 
g% ™ by exhaustively searching y from 1 to ny. At last, 7 release a tally 


X = (y,n) 


on BB. 
3. Proving: Ti, 72,---,7,, jointly provide a multiparty non-interactive zero- 
knowledge proof P (using EqDlog) that 


nT > 
[[ TPK; = gi" (4.9) 


i=1 
"Ty 
g" IYr = Xeni! (4.10) 


have the equal discrete logarithm and then post the proof P next to X on BB. 


Verifying: During registration, each voter V; is able to check if his or her public 
key pk; and ciphertext R; are posted on BB correctly on the basis of hash values 
h(pk;) and h(R;) on his or her registration slip. In addition, V; is able to detect if 
the entry device in the registrar’s office cheats by pressing “Cancel” and checking if 
r; on the test slip is his or her choice and if R; on the test slip is computed correctly 
by himself or herself or with the help of someone later. During voting, each voter 
V; is able to check whether 6; (either 1 or -1) in the ballot b; = {f;, S;, T;} posted 
on 6B is his or her choice even if the computer of V; is infected by malware. 
During registration, the election inspector is able to detect if the entry device 
cheats voters by collecting all test slips with the handwriting signatures of the 
registrar from the test box and checking if all ciphertexts are computed correctly. 
During voting, the public (including the voters) is able to verify if each R; is an 
encryption of either g or g~! based on the non-interactive zero-knowledge proof P;, 
and check if each ballot b; is valid with the signature ($;, 7;) of V;. During tallying, 
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the public can check if all valid ballots are combined and decrypted correctly based 
on the non-interactive zero-knowledge proof P. 


Remark. The basic scheme can fit a two-candidate election trivially. 


4.2.3 General Remote Voting Scheme 


The basic remote voting scheme can be used to build a general remote voting 
scheme, where there is a list of candidates C = {C1, C,--- , Cnc }, and the choice 
for each candidate is either “Yes” or “No.” 


Setup: Same as the basic scheme, the registrar R posts Q = {R,ES,SS, 
ReencPf, EqDlog, (G, q, g),4,C,7, TPK, V} on the public bulletin board BB. 


Registration: For registration, a voter V; presents himself or herself with his or her 
printed public key pk; and hash value h(pk;) to the registrar’s office, where V; is 
allowed privately to enter an integer 


r; = dj, + di2 +++ + Ging?" (4.11) 


where a;,; is either O or 1, into a trusted entry device, which, in turn, encrypts a 
series of g and g7! according to ai j. The ciphertext R; j = (A;,;, Bij) and 


(gh eer FPR") ifa;,; =0 

(Ai j, Bij) = Se Eg eae ee, yc 
(gi, g (2, TPK,)"/) ifa,j; = 1 

where y; j is randomly chosen by the device from Zi: Then the device prints out the 

hash value A(R;) on a slip, where R; = {R; j YEr The voter V; needs to remember 

his or her reference r; (like a PIN number). If the number of candidates is large, V; 

may write down r; on a note privately. 

Having seen A(R; ) on the slip, V; decides whether to confirm r;. If not, the device 
prints out rj, {yi,; yey and R; on the slip. In this case, the staff in the registrar’s 
office tears off the slip and provides a handwriting signature on it. V; either keeps 
the slip for anyone later to check or inserts the slip into a locked box placed in 
the registrar’s office for the election inspector with key later to check. Then the 
registration restarts. Otherwise, the device scans the identity V; and the public key 
pki and prints out V;, (pk;) on the slip for V; to check. At last, the device provides 
a non-interactive zero-knowledge reencryption proofs P; (using ReencPf) that each 
ciphertext in R; is a reencryption of either (1, g) or (1, g~'), and erases r;, aij, i,j 
from its memory, and posts 


Vi, pki, h(pk;), Ri, A(R), P; 
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on BB. The staff tears off the slip with h(R;), V;, h(pki), provides a handwriting 
signature on it, and then hands it to the voter. 


Voting: The registrar R announces the list of candidates C = {C1, C2,++* , Cne} 
on BB. 

For each candidate C; (j = 1,2,--- ,mc), a voter V; chooses his or her vote 
vi j from {1,—1} and determines 6;,; as follows: If v; ; = (—1)“/, then 6;,; = 1. 
If vi; # (—1)%/, then i; = —1. Note that V; remembers his or her reference 
r; = dii + ai22 +++ dine 2". 

Next, V; generates a signature on {6;1, Bj.2,--- , Binc} as follows: 

S; = g“ (4.12) 
T; = (H (Bia, Biz » Bincs Si) — Sixi)6i (mod q) (4.13) 


where ô; is randomly chosen from Z* and x; is the private key of Yj. 
Then, V; constructs a ballot 


bi = BiH, Si Ti} 


and casts it to R, which, in turn, posts b; next to V; on BB if 
gH Bis Bi2 Binc Si) = pk’ s~ (4.14) 


The voter V; checks if b; on BB is the same as that he or she casts. 


Tallying: To tally all valid ballots posted on BB for each candidate C; (j = 
1,2,--- nc), T performs the following steps: 


1. Combining: 7 combines all valid ballots on BB for the candidate C; as follows: 


ny 

Xr; = [4A (4.15) 
i=1 
ny 

Yr; = | | Bi (4.16) 


i=l 


2. Decrypting: Each tally authority 7; computes X;,; = Xr j“ and posts X; j on 
BB. By {X;,;}/",, one can compute 


ny ny ny 
Yrj -II Xij = [Jero = [|e = gi 


i=l i=l i=l 


where y;,n; are the numbers of “Yes” and “No” for the candidate C; and y; + 
n; = ny. Then y; can be determined from g?¥/~"" = g¥i-"/ by exhaustively 
searching y; from 1 to ny. At last, 7 release a tally 


X; = (y;.nj) 
for the candidate C; on BB. 
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3. Proving: Tallying authorities 71, 7,--- , Tay jointly provide a multiparty non- 
interactive zero-knowledge proof Pc, (using EqDlog) that 


nT > 

[[ TPK: = goiit (4.17) 
i=l 
gU Yr = Xp jini! (4.18) 


have the equal discrete logarithm and then post the proof Pc, next to X; on BB. 
Verifying: Same as the basic voting scheme. 


Remark. The general scheme can fit an m out of n selection election (where 
m <n), in which m candidates are elected from n candidates C,,C2,--- , Cn, as 
long as we rank y; — n; (i = 1,2,--- ,nc) after tallying. In addition, the general 
scheme can be extended to a ranked election. For example, considering a ranked 
election with 4 candidates C1, C2, C3, C4, a voter can rank them by 4 preferences 
(+, +), (+,—),(—, +), and (—,—). To implement this, each voter presets two 
ciphertexts R; j1, Rj,;,2 on BB for each candidate C;. After voting, two columns 
of ciphertexts for C; are tallied, respectively, and the tallying result for C; can be 
2(y;1—ny1) + (y¥j2—Mj2), where (y; x, nj) is the tallying result of the kth column 
of the ciphertexts for C;. 


4.2.4 Voter Reference Refresh 


In the basic and general remote voting schemes, the reference of a voter can be used 
for one election only. For a new election, the voter may go to the registrar’s office 
to reset his or her reference as the registration described above or refresh his or her 
reference online as follows. 

For the basic scheme, when the voter V; refreshes his or her reference r; (€ 
{1, —1}), whose ciphertext on BB is R; = (A;, B;), he or she randomly chooses p; 
from {1, —1} while his or her computer randomly chooses p; from Zi and computes 


nT Pi 
R! = (4l, B!) = (g” AM, (i rx BM) (4.19) 


t=1 


where R? is an encryption of g”“' and the refresh reference rj = r; pui. Next the 
computer of V; provides a non-interactive zero-knowledge reencryption proof P/ 
that R’ is a reencryption of either (A;, B;) or (A;!, By!) and generates a signature 
on Rj as follows: 
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Si = gh (4.20) 
T! = (H(R;, S{) — S{ xi); (mod q) (4.21) 


where 6; is randomly chosen from Zi and x; is the private key of V;. At last, V; 
posts 


(Ri Si Ti, Pi) 


next to V; on BB. 


Remark. Ifan adversary coerces a voter V; to compute R; with u; and p; chosen by 
himself or herself, he or she is uncertain of the refresh reference rj = r; u; because 
he or she is uncertain of the original reference r;. In case the registrar obtains r;, y; 
during the registration of V;, the registrar is uncertain of the refresh reference rj = 
r; 4; because he or she is uncertain of p;i. 


For the general scheme, when the voter V; refreshes his or her reference r; (= 
Qj +4)22 +++: ding 2"¢—!), where ai j € {0, 1}), he or she randomly chooses 


Uilt , Minc from {1, —1}, while his or her computer chooses random numbers 
Pii» Pi2»*** » Pinc from Zi and computes 
nT i,j nc 
R; = (4, BDY = | (e A (1 rex a (4.22) 
t=1 j=l 
where R; is the set of the encryptions of 
(ghey ; gri 0D"? pene, ghinc (-1"ine ) 
and the refresh reference 
Pe Sh 1 1 nc—l 
r; = @;;+4;,2+-+-+4;,,2 (4.23) 
where 
1— pi (-1I)%s 
Tay te! i,j 
aij = a (4.24) 


Next V; provides a non-interactive zero-knowledge reencryption proof P; that each 


(A; ;, Bij) in R; is a reencryption of either (A;,;, Bi j) or (A7, By /) and generates 


a signature on R; as follows: 


S! = gh (4.25) 
T! = (HR!, S) — S!x;)8!~'(mod q) (4.26) 
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where ô; is randomly chosen from Zi and x; is the private key of V;. At last, V; 
posts (Ri, S/, T/, P;) next to V; on BB. 


Remark. As a voter V; is able to test if the entry device in the registrar’s office is 
cheating during the registration, V; is able to test if his or her computer is cheating 
during voter reference refresh by sending test data to the election inspector by post. 


4.3 Conclusion and Discussion 


In this chapter, we have described an Internet voting system [23]. While the 
overhead for tallying in Juels et al.’s remote voting system [15] is quadratic in the 
number of voters, the overhead for tallying in the Internet voting system described 
in this chapter is only O(my) which is linear in the number of voters. Therefore, 
the system is practical for elections at a large scale, such as general elections. 
In addition, Juels et al.’s remote voting system [15] is not verifiable in the sense 
that an adversary, who has corrupted all tallying authorities, is able to forge valid 
ballots without being detected. The Internet voting system in this chapter overcomes 
this drawback. Even if the adversary corrupts all election authorities, the adversary 
is unable to forge any valid ballot in the system. At last, a voter in the Internet 
voting system does not need to encrypt his or her ballot during voting. The ballot is 
in a form of plaintext. Therefore, even if the voter’s personal computer is infected 
by malware, any modification on the voter’s ballot can be detected by the voter. 
Furthermore, his or her vote choice remains secret because his or her final vote is a 
combination of his or her ballot and his or her reference which is encrypted during 
registration and posted on the bulletin board. 
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Chapter 5 
Nearest Neighbor Queries with Location 
Privacy 


Abstract In mobile communication, spatial queries pose a serious threat to user 
location privacy because the location of a query may reveal sensitive information 
about the mobile user. In this chapter, we consider k nearest neighbor (KNN) queries 
where the mobile user queries the location-based service (LBS) provider about k 
nearest points of interest (POIs) on the basis of his or her current location. We 
described a solution given by Yi et al. [22] for the mobile user to preserve his or 
her location privacy in KNN queries. The solution is built on the Paillier public- 
key cryptosystem [11] and can provide both location privacy and data privacy. In 
particular, the solution allows the mobile user to retrieve one type of POIs, for 
example, k nearest car parks, without revealing to the LBS provider what type of 
points is retrieved. For a cloaking region with n x n cells and m types of points, the 
total communication complexity for the mobile user to retrieve a type of k nearest 
POIs is O(n + m) while the computation complexities of the mobile user and the 
LBS provider are O(n + m) and O(n?m), respectively. Compared with existing 
solutions for KNN queries with location privacy, these solutions are more efficient. 


5.1 Introduction 


The embedding of positioning capabilities (e.g., GPS) in mobile devices facilitates 
the emergence of location-based services (LBSs), which are considered as the next 
“killer application” in the wireless data market. LBS allows clients to query a 
service provider (such as Google or Bing Maps) in a ubiquitous manner, in order 
to retrieve detailed information about points of interest (POIs) in their vicinity 
(e.g., restaurants, hospitals, etc.). 

The LBS provider processes spatial queries on the basis of the location of the 
mobile user. Location information collected from mobile users, knowingly and 
unknowingly, can reveal far more than just a user’s latitude and longitude. Knowing 
where a mobile user is can mean knowing what he/she is doing: attending a religious 
service or a support meeting, visiting a doctor’s office, shopping for an engagement 
ring, carrying out non-work-related activities in office, or spending an evening at the 
corner bar. It might reveal that he or she is interviewing for a new job or “out” him 
or her as a participant at a gun rally or a peace protest. It can mean knowing with 
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whom he/she spends time and how often. When location data are aggregated it can 
reveal his/her regular habits and routines—and when he or she deviates from them. 

A 2010 survey conducted for Microsoft in the United Kingdom, Germany, Japan, 
the United States, and Canada found that 94 % of consumers who had used LBSs 
considered them valuable, but the same survey found that 52 % were concerned 
about potential loss of privacy.! 

In this chapter, we consider k nearest neighbor (KNN) queries where the mobile 
user queries the LBS provider about k nearest POIs. In general, the mobile user 
needs to submit his or her location to the LBS provider which then finds out and 
returns to the user the k nearest POIs by comparing the distances between the mobile 
user’s location and POIs nearby. This reveals the mobile user’s location to the LBS 
provider. 

There have been numerous techniques that can provide a certain degree of 
location privacy. These techniques mainly include 


e Information access control [10,23]; 

e Mix zone [2]; 

e k-Anonymity [1,3,9] 

e “Dummy” locations [8, 16,21]; 

e Geographic data transformation [6,7, 19,20]; 

e Private information retrieval (PIR) [4, 5, 12—14]. 


Localtion-based service queries based on access control, mix zone, and k- 
anonymity require the service provider or the middleware that maintains all user 
locations. They are vulnerable to misbehavior of the third party. They offer little 
protection when the service provider/middleware is owned by an untrusted party. 
There have been private data inadvertently disclosed over the Internet in the past. 

k-Anonymity is initially used for identity privacy protection. It is generally 
inadequate for location privacy protections, where the notion of distance between 
locations is important (unlike distances between identities). The effect of LBS 
queries based on k-anonymity depends heavily on the distribution and density of 
the mobile users, which, however, are beyond the control of the location privacy 
technique. 

Location-based service queries based on dummy locations require the mobile 
user randomly to choose a set of fake locations, to send the fake locations to the 
LBS, and to receive the false reports from the LBS over the mobile network. This 
incurs both computation and communication overhead in mobile devices. For the 
purpose of efficiency, the mobile user may choose fewer fake locations, but the LBS 
provider can restrict the user in a small subspace of the total domain, leading to 
weak privacy. 

Location-based service queries based on geographic data transformation are 
prone to access pattern attacks [18] because the same query always returns the same 
encoded results. For example, the LBS may observe the frequencies of the returned 
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ciphertexts. Having knowledge about the context of the database, it can match the 
most popular plaintext POI with the most frequently returned ciphertext and, thus, 
unravel information about the query. 

Location-based service queries based on PIR provide strong cryptographic 
guarantees, but are often computationally and communicationally expensive. To 
improve efficiency, trusted hardware was employed to perform PIR for LBS queries 
[12]. This technique is built on hardware-aided PIR [17], which assumes that a 
trusted third party (TTP) initializes the system by setting the secret key and the 
permutation of the database. Like LBS queries based on access control, mix zone, 
and k-anonymity, this technique is vulnerable to misbehavior of the third party. 

It is a challenge to give practical solutions for KNN queries with location privacy 
on the basis of PIR. 

In this chapter, we describe some solutions for KNN queries by Yi et al. [22] on 
the basis of PIR with the Paillier public-key cryptosystem [11]. Yi et al.’s work has 
three main contributions as follows: 


e Current PIR-based LBS queries [4, 5, 13, 14] usually require two stages. In the 
first stage, the mobile user retrieves the index of his or her location from the LBS 
provider. In the second stage, the mobile user retrieves the POIs according to the 
index from the LBS provider. To simplify the process, Yi et al. give a solution 
for KNN queries which needs one stage only, i.e., the mobile user sends his or 
her location (encrypted) to the LBS provider and receives the k nearest POIs 
(encrypted) from the LBS provider. 

e Current PIR-based LBS queries only allow the mobile user to find out k nearest 
POIs regardless of the type of POIs. For the first time, Yi et al. take into account 
the type of POIs in KNN queries and give a solution for the mobile user to find 
out k nearest PIOs of the same type without revealing to LBS provider what type 
of POIs he or she is interested in. 

e Current PIR-based LBS queries all need to fix a cloaking region based on which 
the LBS provider generates the responses to the mobile user’s queries. If the 
cloaking region is large, the LBS queries are inefficient. If the cloaking region is 
small, the LBS queries have weak privacy. Yi et al. give a solution for the mobile 
user to specify a large public cloaking region but let the LBS provider generate 
the responses actually based on a small private cloaking region repeatedly. 


For a cloaking region with n x n cells and m types of points, assume that the 
mobile user wishes to retrieve a type of k nearest POIs at his or her location, the 
total communication complexity is O(n + m) while the computation complexities 
of the mobile user and the LBS provider are O(n + m) and O(n7m), respectively. 
Compared with previous solutions for KNN queries with location privacy, this 
solution is more efficient. 
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5.2 Private k Nearest Neighbor Queries 


5.2.1 Security Model 


The security model considers an LBS scenario in mobile environments, as shown in 
Fig. 5.1, where there exist the mobile user, the LBS provider, the base station and 
satellites, each playing a different role. 


e The mobile user sends location-based queries to the LBS provider and receives 
LBS from the provider. 

e The LBS provider provides LBSs to the mobile user. 

e The base station bridges the mobile communications between the mobile user 
and the LBS provider. 

e Satellites provide the location information to the mobile user. 


We assume that the mobile user can acquire his or her location from satellites 
anonymously, and the base station and the LBS provider do not collude to compro- 
mise the user location privacy or there exists an anonymous channel such as Tor” 
for the mobile user to send queries to and receive services from the LBS provider. 
The model focuses on user location privacy protection against the LBS provider 
and a KNN query protocol (where k is fixed) is composed of three algorithms as 
follows: 


1. Query Generation (QG): Taking as input a cloaking region CR with n x n cells 
and m distinct types of POIs, the location (i, j) of the mobile user, and the type 
t of POIs; the mobile user outputs a query Q (containing CR) and a secret s, 
denoted as (OQ, 5) = QG(CR,n, m, (i, j),t). 

2. Response Generation (RG): Taking as input the query Q and the location-based 
database D of POIs; the LBS provider outputs a response R, denoted as R = 


LE 
\ t) 
in 


Mobile User Base Station LBS Provider 


Fig. 5.1 Location-based service 
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1) (Qs)=QG(CR,n,m,(i,j),t) 2) R=RG(Q,D) 


3) KNN=RR(R;s) 
Mobile User LBS Provider 


Fig. 5.2 Private KNN query 


3. Response Retrieval (RR): Taking as input the response R and the secret s of the 
mobile user; the mobile user outputs k nearest POIs of the type t, denoted as 
kKNN = RR(R,5). 


A private KNN query protocol can be illustrated in Fig.5.2 and is correct if 
kKNN = RR(R, s) outputs k nearest POIs of the type t corresponding to the cell at 
(i, j), where (Q,s) = QG(CR, n,m, (i, j),t) and R = RG(Q, D). 

The security of a private KNN query protocol involves data privacy and location 
privacy. Intuitively, the LBS provider S wishes to release only the k nearest POIs 
of one type to the mobile user U each time when the user sends a KNN query. 
Meanwhile, the mobile user U does not wish to reveal to the LBS provider his or 
her location (i, j ) and the type t of POIs he or she is interested in. 

Formally, data privacy can be defined with a game as follows. 

Given a user location (i, j) where 1 <i, j < n and one type t of POIs, consider 
the following game between an adversary (the user) A and a challenger C. The game 
consists of the following steps: 


1. The adversary chooses any two distinct cloaking regions CR; and CR with 
n x n cells such that k nearest POIs of the type t in the cell (i, j) are same. The 
adversary generates a query Q to retrieve the k nearest POIs of the type ¢ in the 
cell (i, j) and sends Q, CR, CR» to the challenger C. 

2. The challenger C chooses a random bit b € {0,1}, and runs the Response 
Generation algorithm RG to obtain Rà = RG(Q(CR;), D), and then sends 
R, back to A. 

3. The adversary A can experiment with the code of R, in an arbitrary non-black- 
box way. If the adversary can retrieve the k nearest POIs of the type ¢ in the cell 
(i, j) from R», he or she outputs b’ € {0, 1}. 


The adversary wins the game if b’ = b and loses otherwise. We define the 
adversary A’s advantage in this game to be 


Adv4(k) = |Pr(b’ = b) — 1/2], 
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where k is the security parameter. 


Definition 5.1 (Data Privacy Definition). In a KNN query protocol, the LBS 
provider has data privacy if for any probabilistic polynomial time (PPT) adversary 
A, we have that Adv_4(k) is a negligible function, where the probability is taken 
over coin-tosses of the challenger and the adversary. 


Remark. Data privacy ensures that the response distributions on the user’s view are 
computationally indistinguishable for any two cloaking regions CR; and CR such 
that the k nearest POIs of the type ¢ in the cell (i, j) in the two cloaking regions 
are the same. This means that a computationally bounded user does not receive 
information about more than one cell in the cloaking region CR. 


Next, we formally define location privacy with a game as follows. 

Given a cloaking region CR with n x n cells and m types of POIs, consider the 
following game between an adversary (the LBS provider) A and a challenger C. 
The game consists of the following steps: 


1. The adversary A chooses two distinct tuples (io, jo, to) and (i, ji, t1), where 
(ib, jp) represents the cell and t, stands for the type of POIs, from the cloaking 
region CR and sends them to the challenger C. 

2. The challenger C chooses a random bit b € {0,1} and executes the Query 
Generation (QG) to obtain (Q, 5) = QG(CR, n,m, (ip, jp), ty) and then sends 
Q, back to the adversary A. 

3. The adversary A can experiment with the code of Q, in an arbitrary non-black- 
box way and finally outputs a bit b’ € {0, 1}. 


The adversary wins the game if b’ = b and loses otherwise. We define the 
adversary A’s advantage in this game to be 


Adv.a(k) = |Pr(b! = b) — 1/2| 


where k is the security parameter. 


Definition 5.2 (Location Privacy Definition). In a KNN query protocol, the user 
has location privacy if for any probabilistic polynomial time (PPT) adversary A, 
we have that Adv 4 (k) is a negligible function, where the probability is taken over 
coin-tosses of the challenger and the adversary. 


Remark. Location privacy ensures that the server cannot determine the location of 
the mobile user in the cloaking region CR and the type of POIs with the KNN query 
from the mobile user. 


Based on the model, we describe some constructions of private KNN query 
protocol by Yi et al. [22] which allows the mobile user to find k nearest POIs from 
a cloaking region. These solutions are built on the Paillier homomorphic encryption 
scheme [11] and the Rabin encryption scheme [15]. 
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5.2.2 Private kNN Queries Without Data Privacy 


First of all, we describe a basic construction of KNN query protocol without 
considering data privacy of the LBS provider. We assume that there is only one 
type of POIs and so we ignore the type of POIs and ¢ in the model in this case. 

Initially, the LBS provider divides the location-based database D (a geographic 
map) into cells with the same size, for example, | km width and 1 km length. Based 
on the center of each cell, the LBS provider collects k nearest POIs, P1, Po,--: , Pr 
as shown in Fig. 5.3 and each point is represented by a tuple (x, y), where x and y 
are the latitude and longitude of the point, respectively. For each cell (i, j ), the LBS 
provider keeps k nearest POIs, represented as a stream of bits, denoted as an integer 
di j. We assume M = max (d; j), i.e., the longest record. 


Remark. Because the LBS provider collects k nearest POIs according to the center 
of each cell (i.e., the red points shown in Fig. 5.3), the LBS provider responds the 
same k nearest POIs to the two mobile users within the same cell no matter where 
the two mobile users are in the cell. For the mobile user located near the border 
of two cells, he or she may query two cells or even four cells around his or her 
location and then find out k nearest POIs among the query responses. The purpose 
of this method is to avoid privately comparing distances, which is hard to do without 
revealing the location of the user. 


We assume that the mobile user U wishes to find k nearest POIs around his or her 
location. To do so, the user U chooses a cloaking region CR with n xn cells, where U 
is located in the cell (i, 7), and runs the KNN query protocol with the LBS provider 
S, composed of three algorithms, Query Generation (QG), Response Generation 
(RG), and Response Retrieval (RR), as described in Algorithms 1-3. 


Fig. 5.3 k Nearest POIs for cells 
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Algorithm 1 Query Generation (user) 


Input: CR,n, (i, j) 
Output: Q,s 
1: Randomly choose two large primes p,q such that N = pq > M. 
2: Let sk = {p,q} and pk = {g, N}, where g is chosen from Zy2 and its order is a nonzero 
multiple of N. 
3: For each £ € {1,2,--- ,n}, pick a random integer rẹ € Z 


* 


29 compute 


pee Encrypt(, pk) = g'ri (mod N*) if€=i 
= Encrypt(0, pk) = orl’ (mod N?) otherwise 


where the encryption algorithm is described in the Paillier cryptosystem. 
4: Let Q = {CR,n,c1,C2,°°* ,Cn, pk}, s = sk. 
5: return Q, s 


Algorithm 2 Response Generation RG (server) 
Input: D, Q = {CR,n,c1,€2,*** , Cn, (g, N)} 
Output: R = {C1, C2, ++ , Cn} 
1: Based on CR and n, compute R = {C1, C2, +++ , Cn} where for y = 1,2,--+ ,n, 


C, = [| ct!” (mod N?) 
£=1 


2: return R 


Algorithm 3 Response Retrieval RR (user) 
Input: R = {C;,C2,--- ,Ca}.sk =s 

Output: d 

1: Compute 


d = Decrypt(Cj, sk), 


where the decryption algorithm is described in the Paillier cryptosystem. 
2: return d 


Remark. The CR may be specified by the coordinates (x, y) of an origin point and 
the order n of a square grid. The cell which contains the origin point is labeled as 
(1,1). The CR covers the square grid from the cell (1,1) to the cell (n, n). 


Remark. In Algorithm 3, when the mobile user receives the response, he or she can 
ignore Ce (£ # j) and receive C; only because only C; contains the information 
about the k nearest POIs in the cell (7, 7). 


Theorem 5.3 (Correctness). The kNN query protocol without considering data 
privacy of the LBS provider (Algorithms 1—3) is correct. In other words, for any 
cloaking region CR with n x n and the indexi, j of acell(1 <i, j <n), we have 
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Algorithm 4 Query Generation (user) 
Input: CR,n, (i, j) 
Output: Q,s 
1: Randomly choose two large primes p,q such that N = pq > M. 
2: Let sk = {p,q} and pk = {g, N}, where g is chosen from Zy2 and its order is a nonzero 
multiple of N. 
3: For each £ € {1,2,--+ ,n}, pick a random integer rz; € Ziz» compute 


a Encrypt(, pk) = g'ri (mod N*) if€=i 
= Encrypt(0, pk) = gr’ (mod N?) otherwise 


* 


4: Pick a random integer r € Zý2, 


compute 


c = Encrypt(j, pk) = gir” (mod N?) 


uy 


Let Q = {CR,n, C1, C2,°** ,Cn, C, pk}, s = sk. 
6: return Q,5 


di j = RR(R, s), 


where d; ; stands for k nearest POIs for the cell (i, j ), (Q,s) = QG(CR,n, (i, j )), 
R = RG(D, Q). 


Proof. Based on Algorithms 1-3, we have 


n n N 
C; = Tle’ = g” (1 | (mod N?), 
t=1 f=1 


which is a Paillier encryption of d; j. Therefore, we have d;,; = Decrypt(C;, sk) 
= RR(R, sk) and the theorem is proved. o 


5.2.3 Private kNN Queries with Data Privacy 


In the KNN query protocol without considering data privacy of the LBS provider, 
C, = diy (pe: r“IN (mod N?) and thus the mobile user is able to obtain the 
k nearest POIs in cells (i, y) for y = 1,2,--- ,n. Therefore, it does not have data 
privacy which requires that the mobile user retrieves the k nearest POIs for one cell 
only per query. 

Now we describe a construction of the KNN query protocol by Yi et al. [22], 
composed of Algorithms 4—6, which provides data privacy for the LBS provider. 


Theorem 5.4 (Correctness). The kNN query protocol with data privacy (Algo- 
rithms 4—6) is correct. In other words, for any cloaking region CR with n x n and 
the indexi, j ofacell(1 <i,j <n), 
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Algorithm 5 Response Generation RG (server) 
Input: D, Q = {CR,n,c1,€2,°°+ Cn, €, (g, N)} 
Output: R = {C;,C2,--- , Cn} 
1: Based on CR and n, compute R = {C,, C2, +++ , Cn} where for y = 1,2,--+ ,n, 


2 


n d 
Cy = (c/g”)"” [| ce” (mod N®, 
g=1 


where w, is randomly chosen from Z% . 
2: return R 


Algorithm 6 Response Retrieval RR (user) 
Input: R = {C1, C2, Ca} sk = 8 

Output: d 

1: Compute 


C; = PaillierDecrypt(C};, sk), 


where the decryption algorithm is described in the Paillier cryptosystem. 
2: Compute 


d= RabinDecrypt(Cj, sk), 


where the decryption algorithm is described in the Rabin cryptosystem. 
3: return d 


dij = RR(R, s) 


holds, where di j stands for k nearest POIs, (Q,s) = QG(CR,n,(i,j)), R = 
RG(D, Q). 


Proof. Based on Algorithms 4—6, we have 


; n 2 
C; = (e/g/)" [lez (mod N°’) 
(=1 


n N 
2 d?. 
= gli @ I] i) (mod N°”), 
(=1 
which is a Paillier encryption of d? jj (mod N). Therefore, we have 


C; = Paillier Decrypt(C;,sk) = dẹ, (mod N) 


which is the Rabin encryption of d; j. At last, we have 
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di į = RabinDecrypt(C;,sk) = RR(R,s) 


and the theorem is proved. oO 


Remark. For any y, 


r n 2 N 
d’ įi—y)w. w. Lj 
C, = grg (ry | [r 
£=1 


When y # j, C, is not a Paillier encryption of d}, because of g/~”"”. This 
means that the mobile user cannot obtain k nearest POIs for the cell (i, y) when 
y Æ j.In addition, we use the Rabin encryption d? ; instead of d; j in the Response 
Generation to prevent the mobile user from retrieving the nearest POIs for the cell 
(£, j) when £ Æ i. If we encode d; j rather than d? j> a malicious user may retrieve 
a linear equation of d,,;,d2,;,--+ , dn, j by including more than one encryption of 
1 in the list of c1, c2,+++ , Cn. The linear relation may disclose more than one dj,; 
to the user. By Rabin encryption, the user can only retrieve a nonlinear equation 
of d,,;,d2,;,°++ .dn,; if there are more than one encryption of 1 in the list of 
C1, C2,*** , Cy. From the nonlinear equation, it is hard to retrieve any dj, ;. 


5.2.4 Private kNN Queries Based on POI Type 


Now we take the POI type in KNN query into account. Slightly different from the 
initialization phase in the KNN query protocol without data privacy, based on the 
center of each cell, the LBS provider collects k nearest POIs, P1, P2,--+ , Px and 
each point is represented by a tuple (x, y,t), where x and y are the latitude and 
longitude of the point, respectively, and ź is the type of the points. Examples of POI 
types includes: 


e Churches, schools 

e Post offices, shops, postboxes, telephone boxes 
e Pubs 

e Car parks 

e Speed cameras 

e ‘Tourist attractions 


We assume that POI types are coded into 1,2,--- ,m which is published to the 
public. For each cell (i, j) and each POI type t, the LBS keeps k nearest POIs 
of type t, represented by a stream of bits, denoted as an integer dj ;;. We assume 
M = max(di jt). 

Assume that the mobile user U located in the cell (i, j) wishes to find k nearest 
POIs of the type t; the KNN query protocol based on POI type is composed of 
Algorithms 7-9. 
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Algorithm 7 Query Generation (user) 


Input: CR,n,m, (i, j),t 
Output: Q,s 

1: Randomly choose two large primes pı, gq; such that N; = piq; > M. 

2: Randomly choose two large primes p,q such that No = p2qgz, where N? <N <N i ; 

3: Let sky = {pi, qı}, sk2 = {p2,q2}, pki = {g1, Mi}, pk2 = {g2, No}, where gı is chosen 
from Z,y,2 and its order is a nonzero multiple of N; and g3 is chosen from Zy,2 and its order 
is a nonzero multiple of N2. 

4: For each £ € {1,2,--- ,m}, pick a random integer rọ € Z 


* 


N2? compute 


E(1, pki) = gi'ri' (mod N?) ifl=t 


a= E(0, pki) = gory" (mod N,7) otherwise 
5: For each £ € {1,2,--+ ,n}, pick a random integer r E€ Zs compute 
2 
ot = ) EG, pk) = gor) (mod N?) iff =i 
£ E(0, pk2) = gar,” (mod N3?) otherwise 


6: Pick a random integer r € ZN 25 compute 
c = E(j, pka) = g} r™ (mod Ny’) 


7: Let Q = {CR,n,m, c1, €2,*** , Cm, Cy. €ht cl, c, pki, pka}, s = {sk1, skp}. 
8: return Q,s 


Algorithm 8 Response Generation RG (server) 


Input: D, Q = {CR, m,n, cy, C2,*** ,Cm, Cj. C2, C440, pki, pka) 
Output: R= {C1 C2, Cat 
1: Based on CR and m, for each cell (a, $) in CR, compute 


m > 

2 

Cap = | | ep?" (nod Ny’) 
=j 


2: Based on CR and n, compute R = {C;, Cz,--- , Ca}, where for B € {1,2,--+ ,n}, 
Cp = (c/9°)" T] Qnod Nz”), 
a=1 


where wg is randomly chosen from Z%, 
3: return R 


Theorem 5.5 (Correctness). The kNN query protocol based on POI type 
(Algorithms 7—9) is correct. In other words, for any cloaking region CR with 
n x n and m types of POIs, and the index i, j of acell(1 <i, j <n) anda type t 
of POIs, we have 
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Algorithm 9 Response Retrieval RR (user) 
Input: R = {C,,C),--- ,C,}, sk 
Output: d 

1: Compute 


C; = PaillierDecrypt(C;, sk). 


where the decryption algorithm is described in the Paillier cryptosystem. 
2: Compute 


C; = RabinDecrypt(C!, sk2). 


where the decryption algorithm is described in the Rabin cryptosystem. 
3: Compute 


Cc,” = PaillierDecrypt(C;’,sk;). 
4: Compute 
d = RabinDecrypt(C,”, ski). 


5: return d 


di jt — RR(R, sk) 


holds, where di jı stands for k nearest POIs of the type t in the cell (i, j), and 
(Q,sk) = QG(CR,n,m, (i, j), t), R = RG(D, Q). 


Proof. Following the proof of Theorem 2, we can prove that 


m 
d?, 
c7 = Cj — IR + (mod N,°). 
t=1 


ad. 
In fact, Ci j = gii lezir” “)MNi (mod N?) which is a Paillier encryption of 
d? , (mod N,). Therefore, we have 


ci = d? ‚(mod N,), 


which is the Rabin encryption of di js. At last, we have di jı = RabinDecrypt 
(C;”,sk1) = RR(R, s) and the theorem is proved. Oo 
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Algorithm 10 Private cloaking region request (user) 


Input: CR, A,i, j 
Output: Q,s 
1: Randomly choose two large primes p1,qı such that Nj = piq; > M. 
2: Randomly choose two large primes p2, q2 such that Nọ = p2q2, where N F <N <N Ag 
3: Let sky = {pi,qi},sko = {p2,q2}, pki = {g1, Mi}, pk2 = {g2, N2}, where gı is chosen 
from Zy,2 and its order is a nonzero multiple of N; and g3 is chosen from Zy,? and its order 
is a nonzero multiple of N2. 
4: For each £ € {1,2,--+ , A}, pick a random integer ry € Zye compute 


E(\, pki) = gi'rò' (mod N?) ifl=i 


eo E(0, pki) = giri" (mod N,?) otherwise 
5: For each £ € {1,2,-+- , A}, pick a random integer ri E ZN compute 
2 
ot a) ECL pko) = gary (mod N?) if 6 = j 
£ E(0, pk2) = goon (mod N3?) otherwise 


6: Let Q = {CR, A, c1, C2, 
7: return QO,s 


„CA, C1, ch, Ch, pki, pka}, s = {ski, ska}. 


o 


5.2.5 Private Cloaking Region 


In the KNN query protocols, the mobile user needs to specify a cloaking region CR 
in his or her query Q. If the CR is too large, the KNN query will be inefficient. 
However, if the CR is too small, the KNN query has weak location privacy. 

To facilitate the KNN query protocols, we describe a solution by Yi et al. [22] for 
the mobile user to specify a (small) private cloaking region (encrypted) in a (big) 
public cloaking region. After that, the mobile user and the LBS provider can run the 
KNN query protocols over the private cloaking region repeatedly. 

Assume that the public cloaking region CR contains Ax A small cloaking regions 
CRap (@ = 1,2,- , A, = 1,2,--- , A). Without loss of generality, we assume 
that each small CR, g contains À data elements, dag, for y = 1,2,--- , A, although 
the small C Ra,g can be further divided into n x n cells later. 

Assume that the mobile user wishes to specify a private cloaking region CR;,; 
(encrypted); the private cloaking region protocol is composed of Algorithm 10, 
by which the mobile user generates a request for private cloaking region, and 
Algorithm 11, by which the LBS provider generates the private cloaking region 
(encrypted) for the mobile user. 

Before we describe the private cloaking region generation algorithm, we intro- 
duce a notation as follows: 


CR d, d, d, 
Ci ap = (c ap] ap 2 aiL mY 
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Algorithm 11 Private cloaking region generation (server) 

Input: D, Q = {CR,A,c1,02,°** CA, C1, Chtt Ch, pki, pka} 

Output: R 
1: Based on CR and A, CR is divided into small cloaking regions CRo g where 1 < a, B < A. 
2: For = 1,2,- , A, compute 


CR = cp OPRI CORB oo eA CRAB, 


3: Compute 
R= ee er, 
4: return R 
and 
dapi _da.p.2 dapas 4a! pla darga dy pln 
(ci Ci st’ C (c; iC; png, ) 


(cA ol i chp 8/2 Par 


dapa dol pd 
i j oO; j C. C, ) 


Ci j 


In Algorithm 11, the output R (i.e., the encrypted private cloaking region) 
contains À data elements. 


Theorem 5.6. In Algorithms 10 and 11, R is the encryption of private cloaking 
region CR; j. 

Proof. In Algorithms 10 and 11, assume that CRg = (Cgi,Cgz,--: , Cg.) and 
R= (C1, C2,--- , Cy); then for y = 1,2,--- ,A, we have 


A 
dep, ; 
Cay = | Jee?” = 81% (rgy) (mod Ni), 
f=1 


which is a Paillier encryption of d; g, with g1, N1. In addition, for y = 1,2,--- ,A, 
we have 


A 
C= Te“ = go" (r,)™ (mod Na), 
(=1 


which is a Paillier encryption of C;,, with g2, N2. This means PaillierDecrypt 
= Cj, and PaillierDecrypt(C;,,sk,) = di jy for y = 1,2,-+-,A and the 
theorem is proved. o 


Remark. If the LBS provider has sufficient storage, it can keep the private cloaking 
region (PCR) for the time being. The PCR is encrypted and only the mobile user can 
decrypt. The LBS provider still knows the POI types of data elements in the PCR, 
but it has no idea where PCR is located. Therefore, the mobile user does not need to 
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hide his or her location within the PCR in his or her query and only needs to embed 
the POI type ¢ in his or her query in the same way as Algorithm 1. In addition, the 
user can repeatedly query the different cells in the PCR. 


5.3 Performance Analysis 


Now we analyze the performance of the three KNN query protocols and the private 
cloaking region protocol by Yi et al. [22]. In the performance analysis, we consider 
the computation of modular exponentiations (exp.) and ignore the computation of 
modular multiplications and squares because the latter is much cheaper than the 
former. We also ignore the process of key generation because it can be precomputed. 


5.3.1 Protocol Performance 


In the KNN query protocol without data privacy (Algorithms 1-3), the mobile user 
needs to compute n Paillier encryptions (about n exp.) in Algorithm 1 and 1 Paillier 
decryption (about 2 exp.) in Algorithm 3. So the total computation complexity of the 
mobile user is about O(n) exp. In Algorithm 2, the LBS provider needs to compute 
n? exp. and the total computation complexity of the LBS provider is O(n?) exp. In 
addition, the communication complexity is 2n log, N bits. 

In the KNN query protocol with data privacy (Algorithms 4—6), the mobile user 
needs to compute n + 1 Paillier encryptions (about n exp.) in Algorithm 4 and 1 
Paillier decryption and 1 Rabin decryption (about 3 exp.) in Algorithm 6. So the 
total comp. complexity of the user is about O(n) exp. In Algorithm 5, the LBS 
provider needs to compute (2 + n)n exp. and the total comp. complexity of the LBS 
provider is O(n”) exp. In addition, the comm. complexity is 2n log, N bits. 

In the kNN query protocol based on POI type (Algorithms 7-9), the mobile 
user needs to compute n + m + 1 Paillier encryptions (about n + m exp.) in 
Algorithm 7 and 2 Paillier decryption and 2 Rabin decryption (about 6 exp.) in 
Algorithm 9. So the total computation complexity of the mobile user is about O(2n) 
exp. In Algorithm 8, the LBS provider needs to compute mn? + (n + 2)n exp. and 
the total computation complexity of the LBS provider is O(mn7) exp. In addition, 
the communication complexity is (2n + m) log, N bits. 

Table 5.1 shows the performance of the above three protocols. 

In addition, in the private cloaking region protocol (Algorithms 10-11), 
the mobile user needs to compute 2A Paillier encryptions (about 2A exp.) in 
Algorithm 10 while the LBS provider needs to compute AA? exp., and the 
communication complexity is 2A log, N. After generation of the private cloaking 
region, the mobile user can repeatedly query it with O(1) (without POI type) or 
O(m) (with POI type) computation and communication complexities. 
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Table 5.1 Performance of the KNN query protocols 
Component | Algorithms 1-3 | Algorithms 4-6 | Algorithms 7-9 


User comp. O(n) O(n) O(n +m) 
Server comp. | O(n?) O(n?) O(mn?) 
Comm. 2n log, N 2n log, N (2n + m) log, N 


Table 5.2 Performance comparison (stage 1/stage 2) 


Component | Ghinita et al. Paulet et al. Proposed protocol 
User comp. O(n?)/O(n) O(1)/ generate G, g,q | O(n) 
and solve discrete log 
Server comp. | O(n?)/O(n?) O(n)/O(n?) O(n) 
Comm. n? log, N/2n log, N | 2n log, N/O(1) 2n log, N 


5.3.2 Performance Comparison 


We now compare the KNN query protocol with data privacy with PIR-based LBS 
query protocols [4, 5, 13, 14] in Table 5.2. All these protocols do not consider POI 
type in their queries. We assume the cloaking region has n x n cells. 

From Table 5.2, we can see that the Ghinita et al. and Paulet et al. protocols 
both have two stages while the protocol has one stage only. The performance of 
the protocol is better than the Ghinita et al. protocol in terms of user and server 
computation complexities and communication complexity. In addition, the Paulet 
et al. protocol and the protocol have almost the same server computation and 
communication complexities. The mobile user in the protocol needs to compute 
much less than the Paulet et al. protocol. In stage 2, the Paulet et al. protocol needs 
to generate a group G, a generator g, and a prime q for each query and compute 
a discrete logarithm c; = log, he. This process takes more time than computing 
n exp. 


5.4 Conclusion and Discussion 


In this chapter, we have described the private KNN solution of Yi et al. [22]. Their 
solution is composed of three private KNN query protocols and one private cloaking 
region protocol. To analyze the security of the solutions, Yi et al. defined a security 
model for private KNN queries and performed security analysis on their solution in 
[22]. The security analysis has shown that the solutions ensure both location privacy 
in the sense that the user does not reveal any information about his or her location to 
the LBS provider and data privacy in the sense that the LBS provider releases to the 
user only k nearest POIs per query. The performance analysis has shown that their 
protocols are more efficient than the past solutions. 


98 


5 Nearest Neighbor Queries with Location Privacy 


References 


1. 


20. 


B. Bamba, L. Liu, P. Pesti, T. Wang, Supporting anonymous location queries in mobile 
environments with PrivacyGrid, in Proceedings of the 17th International Conference on World 
Wide Web, WWW’08, 2008, pp. 237-246 


. A.R. Beresford, F. Stajano, Location privacy in pervasive computing. IEEE Pervasive Comput. 


2(1), 46-55 (2003) 


. C.Y. Chow, M.F. Mokbel, X. Liu, A peer-to-peer spatial cloaking algorithm for anonymous 


location-based services, in Proceedings of the 14th Annual International Symposium on 
Advances in Geographic Information Systems, ACM GIS’06, 2006, pp. 171-178 


. G. Ghinita, P. Kalnis, S. Skiadopoulos, PRIVE: Anonymous location-based queries in dis- 


tributed mobile systems, in Proceedings of the 16th International Conference on World Wide 
Web, WWW’07, 2007, pp. 371-380 


. G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, K.-L. Tan, Private queries in location- 


based services: anonymizers are not necessary, in Proceedings of International Conference on 
Management of Data, SIGMOD’08, 2008, pp. 121-132 


. H. Hu, J. Xu, C. Ren, B. Choi, Processing private queries over untrusted data cloud through 


privacy homomorphism, in Proceedings of IEEE 27th International Conference on Data 
Engineering, ICDE’11, 2011, pp. 601-612 


. A. Khoshgozaran, C. Shahabi, Blind evaluation of nearest neighbor queries using space 


transformation to preserve location privacy, in Proceedings of Advances in Spatial and 
Temporal Databases, SSTD’07, 2007, pp. 239-257 


. H. Kido, Y. Yanagisawa, T. Satoh, An anonymous communication technique using dummies 


for location-based services, in Proceedings of International Conference on Pervasive Services, 
ICPS’05, 2005, pp. 88-97 


. M.F. Mokbel, C.-Y. Chow, W.G. Aref, The new casper: query processing for location services 


without compromising privacy, in Proceedings of the 32nd International Conference on Very 
Large Data Bases, VLDB’06, 2006, pp. 763-774 


. G. Myles, A. Friday, N. Davies, Preserving privacy in environments with location-based 


applications. IEEE Pervasive Comput. 2(1), 56—64 (2003) 


. P. Paillier, Public key cryptosystems based on composite degree residue classes, in Proceedings 


of Advances in Cryptology, EUROCRYPT’99, 1999, pp. 223-238 


. S. Papadopoulos, S. Bakiras, D. Papadias, Nearest neighbor search with strong location privacy, 


in Proceedings of the VLDB’10, 2010, pp. 619-629 


. R. Paulet, M. Golam Kaosar, X. Yi, E. Bertino, Privacy-preserving and content-protecting 


location based queries, in Proceedings of IEEE 28th International Conference on Data 
Engineering ICDE’12, 2012, pp. 44-53 


. R. Paulet, M. Golam Kaosar, X. Yi, E. Bertino, Privacy-preserving and content-protecting 


location based queries. IEEE Trans. Knowl. Data Eng. 26(5), 1200-1210 (2014) 


. M. Rabin, Digitalized signatures and public-key functions as intractable as factorization. 


(Massachusetts Institute of Technology, Cambridge, 1979) 


. P. Shankar, V. Ganapathy, L. Iftode, Privately querying location-based services with sybilquery, 


in Proceedings of the 11th International Conference on Ubiquitous Computing, Ubicomp’09, 
2009, pp. 3140 


. S. Wang, X. Ding, R.H. Deng, F. Bao, Private information retrieval using trusted hardware, in 


Proceedings of Computer Security, ESORICS’06, 2006, pp. 49-64 


. P. Williams, R. Sion, Usable PIR, in Proceedings of 15th Annual Network and Distributed 


System Security Symposium, NDSS’08, 2008 


. W.K. Wong, D.W. Cheung, B. Kao, N. Mamoulis, Secure KNN computation on encrypted 


databases, in Proceedings of International Conference on Management of Data, SIGMOD’09, 
2009, pp. 139-152 

B. Yao, F. Li, X. Xiao, Secure nearest neighbor revisited, in Proceedings of IEEE 29th 
International Conference on Data Engineering, ICDE’13, 2013, pp. 733-744 


References 99 


21. M.L. Yiu, C. Jensen, X. Huang, H. Lu, SpaceTwist: Managing the trade-offs among location 
privacy, query performance, and query accuracy in mobile systems, in Proceedings of IEEE 
24th International Conference on Data Engineering, ICDE’08, 2008, pp. 366-375 

22. X. Yi, R. Paulet, E. Bertino, V. Varadharajan, Practical k nearest neighbor queries with location 
privacy, in Proceedings of IEEE 30th International Conference on Data Engineering, ICDE’ 14, 
2014, pp. 640-651 

23. M. Youssef, V. Atluri, N.R. Adam, Preserving mobile customer privacy: An access control 
system for moving objects and custom profiles, in Proceedings of the 6th MDM’05, 2005, pp. 
67-76 


Chapter 6 
Private Searching on Streaming Data 


Abstract Private searching on streaming data is a process to dispatch to a public 
server a program, which searches streaming sources of data without revealing 
searching criteria and then sends back a buffer containing the findings. From an 
Abelian group homomorphic encryption, the searching criteria can be constructed 
by only simple combinations of keywords, e.g., disjunction of keywords. The recent 
breakthrough in fully homomorphic encryption has allowed one to construct 
arbitrary searching criteria theoretically. In this chapter, we consider a new private 
query suggested by Yi et al. [23], which searches for documents from streaming 
data on the basis of keyword frequency, such that the frequency of a keyword is 
required to be higher or lower than a given threshold. This form of query can 
help us in finding more relevant documents. Based on the state-of-the-art fully 
homomorphic encryption techniques, we describe disjunctive, conjunctive, and 
complement constructions for private threshold queries based on keyword frequency 
given by Yi et al. [23]. Combining the basic constructions, we also describe 
their generic construction for arbitrary private threshold queries based on keyword 
frequency. 


6.1 Introduction 


The problem of private searching on streaming data was first introduced by 
Ostrovsky and Skeith [15]. It was motivated by one of the tasks of the intelligence 
community, that is, how to collect potentially useful information from huge volumes 
of streaming data flowing through a public server. However, that data which is 
potentially useful and raises a red flag is often classified and satisfies secret search 
criteria. The challenge is thus how to keep the search criteria classified even if the 
program residing in the public server falls into the adversary’s hands. This problem 
has many applications for the purpose of intelligence gathering. For example, in 
airports one can use this technique to find if any of hundreds of passenger lists has 
a name from a possible list of terrorists and, if so, to find his/hers itinerary without 
revealing the secret terrorists’ list. 

The first solution for private searching on streaming data was given by Ostrovsky 
and Skeith [15, 16]. It was built on the concept of public-key program obfuscation, 
where an obfuscator compiles a given program f from a complexity class C into 
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a pair of algorithms (F, Dec), such that Dec(F(x)) = f(x) for any input x and 
it is impossible to distinguish for any polynomial time adversary which f from C 
was used to produce a given code for F. The basic idea can be briefly described as 
follows. 

Assume that the public dictionary of potential keywords is D = {w1,W2,---, 
wip}. To search for documents containing one or more of classified keywords 
K = {k,,k2,-++ , kj} C D, the client generates a public/private key pair of a 
public-key cryptosystem and constructs a program F, composed of an encrypted 
dictionary €(D) from K and a buffer B which will store matching documents. Then 
the client dispatches the program F to a public server, where F filters streaming 
documents and stores the encryptions of matching documents in the buffer 
After the buffer B returns, the client decrypts the buffer and retrieves the matching 
documents. Because both the keywords and the buffer are encrypted, the search 
criteria are kept classified to the public. 

On the basis of this idea, several solutions for private searching on streaming data 
have been proposed in literature as follows: 


1. Ostrovsky and Skeith [15, 16] gave two solutions for private searching on 
streaming data. One is based on the Paillier cryptosystem [18] and allows to 
search for documents satisfying a disjunctive condition ky V kz V +++ V kjxj, i.e., 
containing one or more classified keywords. Another is based on the Boneh et al. 
cryptosystem [3] and can search for documents satisfying (ki; V ki2 V+ V 
kijki) A (kat V kz V +++ V kajp), an AND of two sets of keywords. 

2. Bethencourt, Song, and Water [1,2] also gave a solution to search for documents 
satisfying a condition kı V k2 V ++- V k)x). Like the idea of [17], an encrypted 
dictionary is used. However, rather than using one large buffer and attempting to 
avoid collisions like [15], Bethencourt et al. stored the matching documents in 
three buffers and retrieved them by solving linear systems. 

3. Yi et al. [24] proposed a solution to search for documents containing more than 
t out of n keywords, so-called (t, n) threshold searching, without increasing the 
dictionary size. The solution is built on the state-of-the-art fully homomorphic 
encryption (FHE) technique and the buffer keeps at most m matching documents 
without collisions. Searching for documents containing one or more classified 
keywords like [1,2, 15, 16] can be achieved by (1, n) threshold searching. 


The existing solutions for private searching on streaming data have not consid- 
ered keyword frequency, the number of times that keyword is used in a document. 
Search engines like Google, Yahoo, and AltaVista display results based on secret 
algorithms. Although we do not know the equations, we believe that these are based 
mainly on keyword frequency and link popularity. 

In this chapter, we describe protocols [23] for a new private query, which searches 
for documents from streaming data based on keyword frequency, such that a number 
of times that a keyword appears in a matching document is required to be higher or 
lower than a given threshold. For example, find documents containing keywords 
k1,ko,--+ ,k, such that the frequency of the keyword k; (i = 1,2,--- ,m) in the 
document is higher (or lower) than ¢;. The protocol takes the lower case into account 
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because terms that appear too frequently are often not very useful as they may not 
allow one to retrieve a small subset of documents from the streaming data. 

This form of query can help one in finding more relevant documents, but it cannot 
be implemented with traditional homomorphic encryption schemes. Based on fully 
homomorphic encryption, disjunctive, conjunctive, and complement constructions 
have been given by Yi et al. [23] for private threshold queries based on keyword 
frequency: (1) The disjunctive construction allows one to search for documents 
satisfying a condition such as (f(k,) > ti) v (f(k2) > tb) V- V (f (Rn) = tr), 
where f(k;) denotes the frequency of the keyword k; and t; is a given threshold. 
(2) The conjunctive construction allows to search for documents satisfying a 
condition such as (f(k) > t) A (f(k) > te) Av? A (fkn) = h). 
(3) There are two complement constructions. The disjunctive complement construc- 
tion allows one to search for documents satisfying a condition such as (f (k;) > 
ti) Veo VFR) 2 bind) VASA) 2 tad Y y APR) Z big) Les 
(SEn) 2 ta) Vee V Fin) 2 tin) V FRA) < ta) Vo VP Bing) < ting)» 
where — stands for complement and nı + n2 = n. The conjunctive complement 
construction allows one to search for documents satisfying a condition such as 
(FE) = ti) Ave A (Pin) = tin.) AWA Ki) = tir) Av AP Bing) = ting) 
ie, (fn) 2 ty) Ae A (Fi) 2 tin) A FRA) < ti) Ao A PF Bing) < ting) 

Furthermore, by combining the above basic constructions, Yi et al. [23] intro- 
duced the generic construction for arbitrary threshold query based on keyword 
frequency. 

Like Yi et als solution for the (t,) threshold query [24], the solutions [23] 
described here encrypt the thresholds, compare them with the ciphertexts, and store 
a matching document into the buffer by constructing an encryption of (L, £) linear 
code of the document. Unlike the (t, n) threshold query solution [24] where only one 
threshold ¢ is encrypted and enclosed to the searching program, the solutions [23] 
described here encrypt the frequency threshold for each keyword because different 
keywords may have different frequency thresholds. 


6.2 Overview of Private Searching on Streaming Data 


In 2005, Ostrovsky and Skeith [15, 16] gave the first solution for private searching 
on streaming data as follows. 

Assume that the public dictionary of potential keywords is D = {w,,Wo,---, 
w|p|}- To construct a program searching for documents containing one or more of 
classified keywords K = {k,,k2,-+- ,k|x|} C D, the client generates a pair of 
public and private keys (pk, sk) for a homomorphic encryption scheme €, such 
as the Paillier cryptosystem [18], and produces an array of ciphertexts E(D) = 
{C1,C2,°** |p|}, one for each keyword w; € D, such that if w; € K, then c; = 
Epk(1) and c; = Epk(0) otherwise. In addition, the client constructs a buffer 
with ym boxes, each of them is initialized with two ciphertexts (Ep (0), Ep (0)), 
where m is the upper bound on the number of matching documents the buffer can 
accommodate and m/2” should be negligible. 
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To perform private searching for keywords, Ostrovsky and Skeith segmented 
the streaming data S into streaming documents {M,, M2,---}, each of which is 
composed of a number of words, and filtered one at a time. To process a document 
M;, the server, which is provided with D, E(D), B, computes d; = Iwe m; Ci = 
Epk (|M; N K|) and e; = d = Epk(M; : |M; N K|), then copies (d;, e;) into y 
randomly chosen boxes in the buffer B by multiplying corresponding ciphertexts. 
If M; N K = ð, this step will add an encryption of 0 to each box, having no 
effect on the corresponding plaintext. If M; O K # @, the matching document 
can be retrieved by computing M; = Dyx(e;)/Dsx(d;) after the buffer returns. If 
two different matching documents are ever added to the same buffer box, a collision 
will occur and both copies will be lost. To avoid the loss of matching documents, the 
buffer size has to be sufficiently large so that each matching document can survive 
in at least one buffer box with overwhelming probability. 

In 2009, Bethencourt et al. [1,2] proposed a different approach for retrieving 
matching documents from the buffer. Like the idea of [15], an encrypted dictionary 
is used, and no-matching documents have no effect on the contents of the buffer. 
However, rather than using one large buffer and attempting to avoid collisions, 
Bethencourt, Song, and Water stored the matching documents in three buffers—the 
data buffer F, the count buffer C, and the matching indices buffer I, and retrieved 
them by solving linear systems. 

Bethencourt et al.’s solution is able to process t documents {M,, M2, --- , Mp} 
of streaming data. For each document M;, the server computes d; and e; as the 
Ostrovsky—Skeith protocol and copies d; and e; randomly over approximately half 
of the locations across the buffers C and F, respectively. A pseudorandom function 
g(i, j) is used to determine with probability 1/2 whether d; (or e;) is copied 
into a given location j. In addition, the server copies d; into a fixed number of 
locations in the buffer I. This is done by using essentially the standard procedure 
for updating a Bloom filter. Specifically, k hash functions A1, h2,--- , hg are used to 
select the k locations. The locations of I that d; is multiplied into are taken to be 
hy (i), Mm(i), >» h(i). 

To retrieve the matching documents, Bethencourt, Song, and Water decrypted 
three buffers F, C, I to F’,C’,I’ at first. For each of the indices i € {1,2,..,t}, 
h(i), ha(i),--- h(i) are computed and the corresponding locations in I’ are 
checked. If all these locations are nonzero, i is added into the list of potential 
matching indices, denoted as {i4, i2, +++ , ie}. The values of c = {d;i , Qi, Qut 
where œ;, = |M;; N K|, are then determined by solving the system of linear 
equations A-c’ = C'T, where A = (g(j,i)) is an |C] x ig matrix. As last step, the 
content of the matching documents M’ = {M;, Mj,,--- , M;,} are determined by 
solving the system of linear equations A - diag(c)- M'T = F. 

The advantage of Bethencourt et al.’s approach [1,2], compared to Ostrovsky 
et al.’s solution [15], is that buffer collisions do not matter because matching 
documents can be retrieved by solving linear systems. Consequently, the buffer 
size does not need to be sufficiently large in order to maintain a high probability 
of recovering all matching documents. In fact, the buffer size becomes optimal, i.e., 
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O(m). However, Bethencourt et al.’s approach has a drawback as well. To determine 
the ordinal numbers of potential matching documents in the decrypted buffer I’, 
Bethencourt, Song, and Water had to check each of the indices i € {1,2,--- ,t} of 
the data stream. Therefore, the buffer recovering has a running-time proportional to 
the size of the data stream, i.e., O(m?3"° + t log(t/m)). This does not fit the model 
given by Ostrovsky et al. in [15, 16], in which the buffer is decrypted at the cost 
which is independent of the stream size. 

The idea of private searching for documents containing one or more of keywords 
can be modified to construct more complicated queries. For example, a query 
composed of at most a A AND operations can be performed simply by changing 
the dictionary D to a dictionary D’ containing all |D|* A-tuples of words in D, 
which of course comes at a polynomial blow-up of program size. 

Using results by Boneh et al. [3], Ostrovsky and Skeith [15, 16] gave a solution 
for private queries involving an AND of two sets of keywords without increasing 
the program size. Their basic idea of searching for documents M such that (M N 
Kı 4 9) A (M N Kı # Ø), where Kı, Kz are two sets of potential keywords, is 
to construct two arrays of ciphertexts Cy = {cb ch. Cp} (€ = 1,2), where 


ct is the encryption of 1 if w; € Kọ and 0 otherwise. To process a document M, 
the program computes vy = T1.;am cf = Ep(|M_ N Kel) (€ = 1,2) and then 
v = e(vı, v2), where e is a bilinear map. If (M N Kı # Ø) ^ (M N K: Æ Ø) is true, 
v is an encryption of a nonzero element and 0 otherwise. Then, M is encrypted by 
replacing 1 with v and 0 with an encryption of 0 and the ciphertext is copied into y 
randomly chosen boxes in the buffer B. 

Ostrovsky and Skeith [17] showed that the general methods used here to 
create protocols for searching on streaming data (which are based essentially upon 
manipulating homomorphic encryption) cannot be extended to perform conjunctive 
queries beyond what has been accomplished as above. More specifically, if one 
builds a protocol based on an Abelian group homomorphic encryption, then no 
conjunctive (of more than one term) can be performed without increasing (super- 
linearly) the dictionary size. It seems that to make progress in significantly extending 
the query semantics will likely require fundamentally different approaches to the 
problem, unless major developments are made in the design of homomorphic 
encryption scheme. 

Gentry [7—10] using lattice-based cryptography constructed the first fully homo- 
morphic encryption scheme. In the same year, Dijk et al. [6] presented a second fully 
homomorphic encryption scheme. In 2010, Smart et al. [20] presented a refinement 
of Gentry’s scheme giving smaller key and ciphertext sizes. Recent breakthrough 
in fully homomorphic encryption makes it possible to perform more complicated 
private queries on streaming data. 

In 2012, based on fully homomorphic encryption technique, Yi et al. [24] 
provided a construction of the searching criteria for private (t, n) threshold query 
on streaming data, which searches for documents containing more than ¢ out of n 
keywords, without increasing the dictionary size. Like the idea of [15], an encrypted 
dictionary E(D) = {c1,C2,--+ |p|}, where correspondences to n keywords are 
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encryptions of 1 and 0 otherwise, is used. Besides it, an encryption of the threshold 
t (< |D]), denoted as €,;(t¢), is attached to the program. To process a document 
M;, the program computes d; = È wem: cj = Epk(|Mi N K|) and compares 
|M; N K| with ź using d; and €,; (t) on the basis of the fully homomorphic property. 
It outputs a ciphertext œ, which is an encryption of 0 if |M; N K| > t and an 
encryption of 1 otherwise. Then M; is encrypted by replacing 1 with a + 1 and 0 
with an encryption of 0. The encryption of a matching document is stored into the 
buffer by constructing an encryption of (L, £) linear code of the document, where £ 
and L are the plain document size and the plain buffer size, respectively, and then 
position-wise adding the code into the buffer. To keep up to m matching documents, 
the buffer size only needs to be m£k (= Lk), where k is a security parameter. In 
addition, the computational decoding cost is O (m£k?) independent of the streaming 
size. Furthermore, the buffer can keep at most m matching documents. In case there 
are more than m matching documents in the streaming data, the buffer stores the 
first m matching documents and throws the rest away. Thus, the buffer collision is 
no longer an issue. 


6.3 Preliminaries 


6.3.1 Integer Addition with FHE 


In general, a fully homomorphic encryption scheme € has the following properties: 


E(m1) + E(m2) = E(m, @ m2), 
E(m,)E(m2) = E(m m2), 
for any mı, m2 € {0, 1}. 
Based on the above two properties, given €(m,) and E(mz), we can construct 
E(m, Am) = E(m,)E (m2), 
E(m, V m2) = E(m) + E(m2) + E(mı)E (m2), 
for any mı, m2 € {0, 1}. 

For a positive integer M = (mm 2---me)p (a binary expression), we write 
E(M) = (E(m)), E(m2), ++- ,E(me)). Given E(M)) = (E(x1), E2), +: EX) 
and €(M>) = (E(y1), E(2), ++- ,E(ye)), we can construct €(M, + M2) as follows: 

Assume that (x1x2--- xe)bp + (V1y2-++ edo = (Zozı -++ ze)p Where zo is the carry 
bit. On the basis of the digital circuit for binary integer addition [19], we have 

Ciz = Xi Vi V (xi ® yi)ci 
B= Xi Dc 
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fori = £,--- ,2,1, where ce = 0 and z = co. Due toa v B = (a @ b) @ (a), 
one can compute 
Elai) = Exi )E Oi) = Exi ® yi) 
E(bi—1) = (E(x) + ENE) = E(QG ® yi)ei) 
E(ci-1) = (E(ai-1) + E(bi—1)) + E(G-VEOi-1) 
= E((aj-1 ® bi—1) ® aj-1b;-1) 
E(zi) = E(x) + E(yi) + Eli) = EG $ yi @ ci) 


fori = €,--- ,2,1, then let E(z) = E(co) and E(M; + M2) = (E(z0), E (z1), 
E(ze)). We define €(M,) E E(M2) = E(M, + M3). 


6.3.2 Integer Comparison with FHE 


In particular, given €(M,) and €(M2) where M, and M3 are two positive integers, 
we can compare Mı with M> by computing 


E(M 1) BH E(—M2) = E(M, + —M2) 
where M, and —M)> are two’s complements of Mı and — M3, respectively. Two’s 
complement system is the most common method of representing signed integers on 
computers (please refer to [12, 13, 22]). 
If Mı > Mb», the most significant bit of Mı + —M> is 0 and 1 otherwise. 
Given €(M) = (E(m;), E(m2),--- ,E(me)), we have 


E(M) = (E(0), E(m), E(mz), +++ , E(me)), 
ECM) = (E€(1),E(m) +1, E(ma) + 1,- , E(me) + 1) BEC). 


6.3.3 Binary Linear Codes 


An [n,k] binary linear code C of length n and dimension k is a k-dimensional 
subspace of F; according to [14]. A generator matrix for C is a k x n matrix 


411 412 *** Ain 
G= 421 422 *** An 


dki Ak2 *** Akn 
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where aj; € F, such that C = {(bj,bo,--- ,bk)G|b; € Fy}. The matrix G 
corresponds to a map F —> F expanding a message (b1, b2,--+ , bp) of length 
k to an n-bit string. 

We say that binary linear codes C1, C2, ++- , Cm are orthogonal if C; 1C; = Ø and 


cj +C; = 0 for any two codewords c; € C; and c; € C; (i, j = 1,2,--- ,m,i F j), 
where “.” stands for the dot product operation. In case where m = n/k, there exist 
m simple orthogonal binary linear codes C1, Cz,-+- ,C,,. The generator matrix of 
C; is 


---10---0---00---0 
--O1---0---00-:: 


© 


G= 


where the element at (j, (i — 1)k + j) (fori = 1,2,--- ,m and j = 1,2,--- ,k)is 
1 and otherwise 0. 


6.4 Definitions 


Definitions for general private queries were given in [15,16]. In this chapter, slightly 
different definitions are given based on the paper by Yi et al. [23]. 

Like the streaming model given in [15, 16], we consider a universe of words 
W = {0, 1}* and a dictionary D C W with |D| < oo. We think of a document M 
just to be an ordered, finite sequence of words in W and a stream of documents S 
just to be any sequence of documents. We define a set of keywords to be any subset 
KCD. 


Definition 6.1. A query Q over a set of keywords K, denoted as Qg, is a logical 
expression of keywords in K. 


Definition 6.2. Given a document M and a query Ox, we define Ox(M) = 1 if 
M matches the query Ox and Ox(M) = 0 otherwise. 


Definition 6.3. For a query Qx, a private query protocol is composed of the 
following probabilistic polynomial time algorithms: 


1. KeyGen(k): Takes a security parameter k and generates a pair of public and 
secret keys (pk, sk). 

2. FilterGen(D, Qx, pk): Takes a dictionary D, a query Qg, the public key pk, 
and generates a program F. 

3. FilterExec(S, F, pk,m): Takes a stream of documents S, F searches for any 
document M e S such that Ox(M) = 1 (processing one document at a 
time), encrypts each matching document with the public key pk, keeps up to 
m encrypted matching document in a buffer B, and finally outputs an encrypted 
buffer 
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Query 
<— 


Response 


— 


Fig. 6.1 Model for private searching on streaming data 


4. BufferDec(B, sk): Decrypts the encrypted buffer B, produced by F as above, 
using the private key sk and outputs a plain buffer B*, a collection of the 
matching documents from S. 


Based on Definition 6.3, the model for privacy searching on stream data can be 
illustrated in Fig. 6.1. 


Definition 6.4 (Correctness of Private Query Protocol). Let F = FilterExec(S, 
F, pk,m), where D is a dictionary, Qg is a query over keywords K, (pk, sk) = 
KeyGen(k), and m is an upper bound on the number of matching documents; we 
say that a private query protocol is correct if the following holds: Let F run on any 
document stream S, B = F(S), B* = BufferDec(B, sk). 


1. (Compiled Program Conciseness) |F| = O(|D}) 

2. (Output Conciseness) |B| = O(m) 

3. (Search Completeness) If {M € S|Qx(M) = 1}| < m, then 
B* = {M e€ S|Qx(M) = 1}. 

4. (Collision Freeness) If |{M € S|QOx(M) = 1}| > m, then 
IB* N{M e S|Ox(M) = l}| =m. 


where the probabilities are taken over all coin-tosses of F , FilterGen, and KeyGen. 


Definition 6.5 (Privacy). Fix a dictionary D. Consider the following game 
between an adversary A, and a challenger C. The game consists of the following 
steps: 
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Table 6.1 Notations Symbol | Explanation 


D Dictionary of possible keywords 

|D| Number of possible keywords in D 

wi Word in the dictionary and documents 

K Set of classified keywords 

ki Classified keyword 

n Number of classified keywords 

Ox Logical expression of keywords in K 

F Filter program 

M,M; Document in the streaming data 

d Maximal number of words in a document 
B Buffer to store matching documents 

m Maximal number of matching documents in B 


(pk, sk) | Public/private key pair 
Epk(b) Encryption of a bit b using pk 
Dsx(c) | Decryption of a ciphertext c using sk 


0,1 Encryptions of 0 and 1 using pk 

IC | Size of the ciphertext 

Ft (ki) Frequency of keyword k; in a document 
ti Frequency threshold of keyword k; 

W Encryption of frequency threshold f; 

t Two’s complement of an integer t 

H Homomorphic addition of integers 

7a() Complement of a condition 


1. The challenger C first runs KeyGen(k) to obtain a pair of public and secret keys 
(pk, sk) and then sends pk and m, the upper bound on the number of matching 
documents, to A. 

2. The adversary A chooses two queries for two sets of keywords, Qox,, Qix,, with 
Ko, Kı C D and sends them to C. 

3. The challenger C chooses a random bit b € {0, 1} and executes FilterGen(D, 
Qvx,, Pk) to create Fp, the filtering program for the query Q,x,, and then sends 
F, back to A. 

4. The adversary A(F,, pk,m) can experiment with code of F; in an arbitrary non- 
black-box way and finally output b’ € {0, 1}. 


The adversary wins the game if b’ = b and loses otherwise. We define the 
adversary A’s advantage in this game to be Advy(k) = |Pr(b’ = b) — 1/2]. 
We say that a private query protocol is semantically secure if for any probabilistic 
polynomial time (PPT) adversary A, we have that Adv 4 (k) is a negligible function, 
where the probability is taken over coin-tosses of the challenger and the adversary. 

In the rest of this chapter, we will use the notations as listed in Table 6.1. 
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6.5.1 Disjunctive Threshold Query 


Formally, a disjunctive threshold query over keywords K = {k,,ko,--- , kn} can be 
expressed as 


Ox = (f(ki) = th) v (f (ka) = h) VV (f (kn) = tn) 


where f(k;) (1 <i <n) is the frequency of the keyword k; in the document and t; 
is the given threshold. It is easy to see 


Lemma 6.6 ([23]). Given a document M, a disjunctive threshold query Qg (M) = 
1 if and only if there exists i such that f(k;) = ti. 


Following the model described in Sect. 6.4, the protocol for disjunc- 
tive threshold queries is composed of four algorithms KeyGen, FilterGen, 
FilterExec, and BufferDec. The construction is based on a fully homomorphic 
encryption scheme and can be formally presented as follows. 


Key Generation 
KeyGen(k): Run the key generation algorithm for the underlying fully homomor- 
phic encryption scheme to produce the private key sk and the public key pk. 


Filter Program Generation 
FilterGen(D, Qx, pk): This algorithm outputs a filter program F for disjunctive 
threshold query Qg based on keyword frequency. 

Assume that the public dictionary D = {w1, w2, ++- , wip}, keywords K = {ky, 
Ko,-++ Kn} C D, d = [log,|M|] where |M| stands for the maximal number 
of words the document M may contain, then F consists of the dictionary D, 
disjunctive query sign (denoted as 00), and an array of ciphertexts 


A 


D = {W1,W2,°** Wp}, 
where W; = €px(¢;) and 


p= frequency threshold fork; if w; =k; € K 
ae en ifw; g K 

Remark. Because the document M contains at most 2“ — 1 words, the frequency of 
any word in M is less than 2¢ — 1. In practice, a document which repeats a word 
for 2% — | times is unusual. We do not consider this special case in this chapter. We 
set the frequent threshold of a non-keyword as 2% — 1 so that its frequency in M is 
never more than the threshold. 
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Assume t; = (aj14j2°+-dia)) Where aj; € {0,1}, then Wj = Epk(ti) = 
(Epk (Git), Epk(Gi2),+++ Ene (Gia)). The array of ciphertexts Ô contains n encryp- 
tions of frequency thresholds and | D| — n encryptions of 27 — 1. 


Filter Program Execution 

FilterExec(S, F, pk, m): This algorithm outputs an encrypted buffer B keeping 
up to m matching documents. 

First of all, the program F constructs a data buffer B with m£ boxes, each of them 
is initialized with Ep (0), where £ is the size of the document. Next, F constructs a 
base buffer G with m boxes, which are initialized with (Ep; (0), +- , Epx (0), Epx (1)). 


Remark. The data buffer B is used to store the matching documents and the base 
buffer G is used to ensure the first m matching documents are stored in B without 
collision. 


In addition, the program F constructs the encryption of the two’s complement of 
—t; (denoted as —7;) with w; = Ex (ti), that is, 


Epk(—ti) = (Epk (1), Epk Git) + 1,- ,Epk (aia) + 1) B Ep (1) 


The leftmost bit of the two’s complement of a negative integer is 1 and 0 
otherwise. 

Upon receiving an input document M = (mj mp ---me), from the stream 
S, in order to determine if M is a matching document or not, the program 
F homomorphically compute a ciphertext €,,(co) such that M is a matching 
document if co = 1 and 0 otherwise. It proceeds with the following steps: 


1. (Word Collection) The program F first collects 
H = {w;, f(w;) wi EMAN D} 


where f(w;) is the frequency of w; in the document M. 


Remark. H is the set of common words in the document M and the dictionary 
D and their frequencies in M. 


Next, F constructs the encryption of the two’s complement of fwi) = 
(b;,b;2--- bia)p, denoted as f(w;), for each w; € H, that is, 


Enk (Sf (wi)) = (Epk (0), Ene (bit), Epk (biz), ++ ,Epk(bia)) 
Remark. Because f(w;) < 24 — 1, we only consider the encryptions of the d 
bits and one sign bit. 


2. (Frequency Comparison) For each w; € Â, the program F homomorphically 
compares the frequency f(w;) and the frequency threshold t; by computing 
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Epk(f (wi) + —ti) 
= Epx(f(wi)) E Epx (ti) 
= (Enk (Cio), Epk (Cit), Epk (Ci2), ++: ,Epk(Cia)) 


from which only €px (Cio) is extracted. In two’s complement system, if cio = 0, 
then f(w;) > t; and otherwise f(w;) < ti. 
Next, the program F computes 


Epr (Co) = Epe( V (cio ® 1) (6.1) 


wi€ H 


by repeatedly using €px (cio V 8) = Epk (Cio) + Epx (8) + Epx (Cio) Epk (S). 

If co = 1, then there exists i such that cj) ® 1 = 1 (Le., Cio = O and 
f(wi) = t;). fw; ¢ K, then t; = 2—1 and it is impossible that f(w;) > 2¢—1. 
This means that w; € K and f(w;) > t;. According to Lemma 6.6, M is a 
matching document. 

If co = 0, then cjo ® 1 = 0 (i.e., Cio = 1 and f(w;) < ti) for all w; € MND. 
According to Lemma 6.6, M is not a matching document. 

3. (Document Storing) Assume that the state of the base buffer G is (m, &m—15°"* , 
£1), where g; is an encryption of either 0 or 1, the program F constructs an 
encrypted £ x L generator matrix G for an [L, £] binary linear code as follows: 


ê 0 Ô pm Ô Ô 
Pe 0 ĝe 0- O Êm 0 
Ô Ô- 0 Ô Êm 


where L = m£ and the element at (i, (j — 1)€ + i) (fori = 1,2,--- ,£ and 
j =1,2,---,m) is g; and otherwise 0 (an encryption of 0). 

To store the encryption of the document M into the data buffer B, the program 
F computes 


M = Epx (CoE pk (M)G 
= (Epx (com), +++ ,Epk(Come))G 


and position-wise adds the result into the data buffer B, denoted as 


B=B+M 


If co = 1, then M, the encryption of the binary linear code of the matching 
document M, is kept in the data buffer B. If co = 0, then M is the encryption of 
0, which has no effect on the data buffer B. 
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4. In order to avoid collision when storing next matching document into the data 
buffer B, the program F updates the base buffer G by homomorphically shifting 
Epk(1) in the base buffer G by one position to the left if M is a matching 
document and 0 position otherwise. This is done by computing 


G’ = G BEx(co)G 


where G is treated as the encryption of an m-bit integer and replacing G with G’. 


Remark. Initially, G = (Epx (0), +++ , Epx (0), Epx (1)). If co = 0, the buffer does 
not change. Only when co = 1, the buffer is updated by shifting €,,(1) one 
position to the left. We only consider the encryptions of the right m bits. After 
shifting m times, the buffer becomes the encryptions of all zeros. The buffer 
contains at most one encryption of 1 all the time. 


Buffer Decryption 

BufferDec(B, sk): Using the secret key sk, the algorithm decrypts the encrypted 
data buffer B, sent back by the filter program F, one box at a time. Assume that 
the decrypted data buffer is (m m, ---m',), where L = m£, then the set of matching 
documents is 


* = {M = (mgs Mp o|M #0,i = 0,1,--- ,.m—1} 


Correctness: The filter program F is composed of D (the dictionary) and D 
(the encryption of the frequency thresholds). The size of D is |D|dk, where k is 
the security parameter. Therefore, the size of the filter program |F| = O(|D)). 

The data buffer B has m£ boxes (where £ is the size of the document), each keeps 
a ciphertext of one bit. The size of the buffer |B| = mk = O(m). 

We need to show that if the number of matching documents is less than or equal 
to m, then B* = {M e S|Qx(M) = 1} (search completeness) and otherwise we 
have |B* 1 {M € S|Qx(M) = 1}| = m (collision freeness). 


Assume that the matching documents in the stream S = {M,, Mp,--- ,} are 
{Mi,, Mi, ++: }. Initially, the data buffer B = (Ep. (0), Epx (0), ++- , Epk (0)), the base 
buffer G = (Epx (0), +++ ,Epk (0), Epk(1)), and the generator matrix 

E 01---0---00---0 
00---1---00---0 


where Î and 0 are encryptions of 1 and 0, respectively. 

For a non-matching document M, we have co = 0 and thus M = 
Enk (CoE pk (M)G = (Epx (0), Epk (0), -++ ,, Epk(0)), the data buffer B+M = 
and the base buffer G’ = G H Ep, ine G, which means that theo content of 
and G do not change. 
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When the filter program F deals with the matching document Mj, (1 < 
j < m), we have co = 1 and the state of the base buffer G is evolved from 
(E px (0), -++ ,Epk (0), Epx(1)) by shifting Ep (1) to the left j — 1 positions because 
there are j — 1 matching documents before M;,. Therefore, the generator matrix 


1 bor 022008600 

g=-| ôi ô ÂÂ 

ô ô.. 1s 6000 
and Mj, = Epk(Co)Epk (M; JG = (Epk(0), +- „Ep (Mi), -> ,Epk(0)) and B = 
B+ Mi, = (Ep (Mn), + , Epr (Miz), Ep (Mi), Epk (0), +++ , Epk (0)). After that, 


the base buffer G is updated to GH Ez (co)G = GHG, i.e., shifting Ep (1) further 
to the left by one position. 

In case when the filter program F deals with the matching document M;, 
(j > m), although co = 1, the base buffer G contains the encryptions of all 
zeros and so does the generator matrix G. Therefore, M; = Epk(Co)Epk (Mi ; )G = 
(Epk (0), Epk (0), +-+ ,Epk(0)) and B = B+ Mi, = B. This means the matching 
document M;, (j > m) has no effect on the data buffer 

In summary, both search completeness and collision freeness are true. 


6.5.2 Conjunctive Threshold Query 


Formally, a conjunctive threshold query over keywords K = {k,,k2,--- , kn} can 
be expressed as 


Ox = (f(ki) = ti) A (f (ka) = h) A+ A (fn) = tn) 


where f(k;) (1 <i < n) is the frequency of the keyword k; in the document and t; 
is the given threshold. It is easy to see 


Lemma 6.7 ([23]). Given a document M, a conjunctive threshold query 
Ox(M) = 1 ifand only if f(k;) > ti fori <i <n. 


Following the model described in Sect. 6.4, the protocol of conjunc- 
tive threshold query is composed of four algorithms KeyGen, FilterGen, 
FilterExec, andBufferDec. The conjunctive construction can be formally 
presented as follows. 


Key Generation 
KeyGen(k): Run the key generation algorithm for the underlying fully homomor- 
phic encryption scheme to produce the private key sk and the public key pk. 
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Filter Program Generation 
FilterGen(D, Qx, pk): This algorithm outputs a filter program F for conjunctive 
threshold query Qg based on keyword frequency. 

Assume that the public dictionary D = {w,,w2,--+ ,wp\}, keywords K = 
{ki, k2, ++- ,kn} C D,d = [log, |M|] where |M | stands for the maximal number 
of words the document M can contain, then F consists of the dictionary D, 
conjunctive query sign (denoted as 01), and an array of ciphertexts 


D = (i, a Mph 
where w; = €px(t;) and 


ee frequency threshold fork; ifwi =k; € K 
' lo ifw; g K 

Remark. Because the document M contains at most 24 — 1 words, both t; and 
t = J „ex fi must be less than 21 — 1. We set the frequent threshold of a non- 
keyword as 0 so that its frequency is always more than the threshold. 


Assume t; = (j14j2---dia)» Where aj; € {0,1}, then Wj = Epk(ti) = 
(E nx (aii), Epk (Giz), +++ ,Epk(aia)). The array of ciphertexts contains n encryptions 
of frequency thresholds and | D| — n encryptions of 0. 


Filter Program Execution 

FilterExec(S, F, pk,m): This algorithm outputs an encrypted buffer B keeping 
up to m matching documents. 

First of all, the program F constructs a data buffer B with m£ boxes, each of 
them is initialized with €,,(0). Next, F constructs a base buffer G with m boxes, 
which are initialized with (Ep, (0), ++- , Ep (0), Epx (1)). In addition, the program 
F constructs the encryption of the two’s complement of —t; (denoted as —t; ) with 
W; = Epk (ti), that is, 


E nk (—ti) = (Epk (1), Epk (Git), +++ » Epk (Gia)) B Ene (1), 


and the encryption of t = ee K ti with D (please note that t; = 0 when w; ¢ K), 
that is, 


el?! w; =W E w E- E wp), 


and the encryption of the two’s complement of —t (denoted as —f) with €,;(t), 
that is, 


Epk $) = (Epk (1), Epk (1), ++ ,Epk(&a)) E Epe (1). 
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Upon receiving an input document M = (mm ---me), from the stream S, 
in order to determine if M is a matching document or not, the program F homo- 
morphically computes a ciphertext €,;(co) such that M is a matching document if 
co = 1 and 0 otherwise. It proceeds with the following steps: 


1. (Word Collection) The program F first collects 
H = {w;, f(w;) wi EMAN D} 
where f(w;) is the frequency of w; in the document M. Next, F constructs the 


encryption of the two’s complement of wi) = (bi1bj2---+ bia)», denoted as 
Ff (w;), for each w; € H, that is, 


Epk(f(wi)) = (Epk (0), Epx (dir), Epk (bin), +++ , Ep (dia), 


and the encryption of the two’s complement of ®t = Doo ogti = 
(b1, B2.-+: , Ba), denoted as t’, that is, 


Epk (t) = (Epk (0), Epk (B1), Epk (B2), +++ »Epk(Ba)), 


Remark. Epk (t) = (Epk(B1), Epk (b2), ,Epk(ba)) can be obtained with 
Ae ĝi. Because the sum f’ is never more than 2“ — 1, we consider d bits 
of t’ only. 


2. (Frequency Comparison) For each w; € Â, the program F homomorphically 
compares f(w;) and t; by computing 
Ene (f (wi) + =t) 
= Epk( f (w:)) E Ep (ti) 
= (Epr (cio), Epk (cin), Epk (Ci), + ,Epk(Cia)) 


from which only Ep (Cio) is extracted. If cio = 0, then f(w;) > t; and otherwise 
fwd Kilis 
In addition, the program F homomorphically checks if the document M 
contains all keywords in K by computing 
Ept +5) 

= Epk(t') B Ep Ct) 

= (Epk (Yo), Epk (V1), Epk (V2); ++ ,Epk (Ya) 
from which only €,¢(yo) is extracted. If yo = 0, then ¢’ > ¢ and thus ¢’ = t 


and the document contains all keywords in K. If yo = 1, then t’ < t and the 
document does not contain all keywords in K. 
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Remark. Because t = i eqgti = Vyennkti < Mex = t, the 
inequality t’ > t means that t’ = t, HK = K, and the document contains all 
keywords in K. Reversely, the inequality t’ < t means that HOOK C K and the 
document does not contain all keywords in K. 


Next, the program F computes 


Ek (co) = Ep (o @ 1) N (cio ® 1) (6.2) 
wi€H 
= (Ex (Yo) + ED) | | Epe (cio) + E0). 
wie 


If co = 1, then yọ = 0 and cio = O for all w; € H. As discussed above, yọ = 0 
means Ĥ N K = K while Cio = 0 for all w; € H means f(w;) = ti for all 
w; € Â. It is obvious that (wi) = 0 for all w; Z K. According to Lemma 6.7, 
M is a matching document. 

If co = 0 and yọ = 1, M does not contain all keywords in K. According 
to Lemma 6.7, M is not a matching document. If co = 0 and yọ = 0, M does 
contain all keywords in K, but there exists i such that f(w;) < t;. According to 
Lemma 6.7, M is not a matching document. 

The rest of the algorithm and the buffer decryption algorithm are the same as 
the disjunction threshold query. 


The correctness of the conjunctive threshold query can be proved in the same 
way as we prove the correctness of the disjunctive threshold query. 


6.5.3 Complement Threshold Query 


There are two complement constructions for private threshold queries based on 
keyword frequency. They are the disjunctive complement and the conjunctive 
complement. 


6.5.3.1 Disjunctive Complement 


Formally, a disjunctive complement threshold query over keywords K = 
{k,,k,--- , kn} can be expressed as 


Ox = (JKn) = ti) VeV Fi) = tin) 
VAP (Rj) 2 ti) Veo VAP) Z bing) 
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= (S (kn) = ty) Vee V (A Kin, ) = bin) 
VF Ki) < ta) Vio VF Kin) < ting), 


where — stands for complement (i.e., negation), {k;,,--- , ki, ,k 


and nı > 0,2 > 0. It is easy to see 


iny fer o Kims = K 
Lemma 6.8 ([23]). Given a document M, a conjunctive complement query 
Qx(M) = 1 if and only if there exists l such that f (ki) = ti or f(k) < ti- 


The construction for the conjunctive complement query is composed of KeyGen, 
FilterGen, FilterExec, and BufferDec, where KeyGen and BufferDec are the 
same as the disjunctive threshold query described in Sect. 6.5.1. 


Filter Program Generation 
FilterGen(D, Qx, pk): This algorithm outputs a filter program F, which consists 


of the public dictionary D = {w1,w2,--+,wjp)}, disjunctive complement sign 
(denoted as 10), an array of ciphertexts Ô = {w1, W2, Wip} where w; = 
Epk (ti) and 


e frequency threshold fork; if w; =k; € K 
w= ifw gK 


and an array of ciphertexts D' = {w w Wind where w; = Epx(s;) and 


o f1 wie thie skim} 
' l0 otherwise 


Remark. The encryptions of s1, S2,*** ,Sn are used to indicate the complement 
positions in Qx in private. 


Filter Program Execution 

FilterExec(S, F, pk, m): This algorithm outputs an encrypted buffer B keeping 
up to m matching documents. 

The algorithm is the same as the filter program execution in the disjunctive 
threshold query described in Sect. 6.5.1. except that F computes 


Ep (co) = Ep | V (cin ®1 51) (6.3) 


wi€ A 


on the basis of homomorphic properties described in Sect. 6.3.1. 

If co = 1, then there exists / such that cj) ® 1 @ s; = 1 (i.e., cro ® sı = 0). If 
w € {kis s Kin, }, then s; = 0 and thus cjg = 0, which means that f(w;) > tı. 
If w € {kje K ing }, then s; = 1 and thus cj9 = 1, which means that f(w;) < tı. 
If w, Z K, then sı = 0 and thus cj9 = 0, which means that f(w;) > ti = 24 —1, 
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It is impossible and this event never occurs when cp = 1. According to Lemma 6.8, 
M is a matching document when co = 1. 

If co = 0, then ci) ® 1 ® s; = O (e., co ® sı = 1) for all w, € MND. 
If w; € {ki Kin, }, then s; = 0 and thus c;ọ = 1, which means that f(w;) < tı. 
If w € {kj Kin, }, then s; = 1 and thus cjp = 0, which means that f(w;) > tı. 
According to Lemma 6.8, M is not a matching document when co = 0. 


Remark. A disjunctive complement query becomes a disjunctive query if letting 
si = 0 for all i. In addition, if letting s; = 1 for all 7, a disjunctive complement 
query becomes 


Ox = (f(k1) < th) v (f(k2) < t2) V-V (f (Rn) < tn). 


6.5.3.2 Conjunctive Complement 


Formally, a conjunctive complement threshold query over keywords K = 
{k,, k,--- , kn} can be expressed as 
Ox = (Fkn) Z ti) A+++ A Pin) = tin, ) 
AWA (Kj) A th) Vi AAR jn) Z ting) 
= (fhe) Z ta) AV FG, ) 2 bin) 
Af (Kj) < ti) Ao V Ling) < tiny) 


where — stands for complement (i.e., negation), {k;,,--- , k 
and nı > 0, n2 > 0. It is easy to see 


kjk} = K 


iny? 


Lemma 6.9 ([23]). Given a document M, a conjunctive complement query 
Qx(M) = 1 if and only if, for any ki € {Ki kins: skin) f(ki) = ti, and 
for any ki € {kjkj Kin} F(R) < ti. 

The construction for the conjunctive complement query is composed of KeyGen, 


FilterGen, FilterExec, and BufferDec, where KeyGen and BufferDec are the 
same as the disjunctive threshold query described in Sect. 6.5.1. 


Filter Program Generation 
FilterGen(D, Qx, pk): This algorithm outputs a filter program F, which consists 


of the public dictionary D = {w1,w2,:+: ,w |p|}, conjunctive complement sign 
(denoted as 11), an array of ciphertexts Ô = {w1, W2, ,Wipj}, where w; = 
Epk (ti) and 


p= frequency threshold fork; if w; =k; € K 
: 0 if w; g K 
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and an array of ciphertexts D’ = {Wwe Wind where Wi, = Ep (s;) and 


1 ifw; € {kjo ,kj,,} 
0 otherwise 


Filter Program Execution 

FilterExec(S, F, pk,m): This algorithm outputs an encrypted buffer B keeping 
up to m matching documents. 

The algorithm is the same as the filter program execution in the conjunctive 
threshold query described in Sect. 6.5.2. except that F computes 


Ek (Co) = Epx((o D N Cio 1 51) (6.4) 
we 
= (Epk (yo) + Epe (1)) | | (Ee (cio) + Ep) + w). 
weEĤ 


according to homomorphic properties described in Sect. 6.3.1. 

If co = 1, then y = 0 and cp ® 1 GO sı = 1 Ge., cio + sı = 0) for all 
w € H. yo = 0 means HNK=K. If w, € {kie s Kip 3> then s; = 0 and 
thus czo = 0, which means that f(w;) > ti. If w; € {kj}; sK in \ then s; = 1 
and thus c79 = 1, which means that f(w;) < tı. According to Lemma 6.9, M is a 
matching document when cp = 1. 

If co = 0 and yo = 1, M does not contain all keywords in K. According to 
Lemma 6.9, M is not a matching document. If co = 0 and yo = 0, M does contain 
all keywords in K, but there exists / such that czo ® 1 ® s; = 0 (i.e., cio D 5; = 1). If 
wi € {kis s Kin, }, then s; = 0 and thus c;ọ = 1, which means that f(w;) < tı. 
If w; € {k;,,-++ Kj} then s; = 1 and thus co = 0, which means that f(w;) = ti. 
According to Lemma 6.9, M is a matching document when co = 0. 


Remark. A conjunctive complement query becomes a conjunctive query if letting 
si = 0 for all i. In addition, if letting s; = 1 for all i, a disjunctive complement 
query becomes 


Ox = (fk) < ti) A (f (ka) < t2) ^A (flkr) < th). 


6.5.4 Generic Threshold Query 


By combining the above basic constructions for private threshold queries based 
on keyword frequency, we present the construction for a generic threshold query 
without asymptotically increasing the program size as follows. 
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Assume that D is the public dictionary of potential keywords and oF Gi = 
1,2,--- ,A) stands for a disjunctive, or conjunctive, or complement query over 
keywords K; C D; we consider a generic threshold query 


O o2 Q) 
P(Q ki» K` Or , 


where operators in ® belong to {v,A,®} and K; N Kj; for any i and j is not 
necessary to be empty. 

The construction for the generic threshold query over keywords K; (i = 
1,2,--- ,A) is composed of KeyGen, FilterGen, FilterExec, and BufferDec, 
where KeyGen and BufferDec are the same as the threshold queries described in 
Sect. 6.5.1. 

Filter Program Generation 
FilterGen(D, OF. OP; e, Qk, , pk): This algorithm outputs a filter program F, 
which consists of {F;, F2,- -- , F,} where F; = FilterGen(D, OF. pk). 


Filter Program Execution 

FilterExec(S, F, pk,m): This algorithm outputs an encrypted buffer B keep- 
ing up to m matching documents. Upon receiving an input document M = 
(m,m2---me)» from the stream S, the program F proceeds with the following 
steps: 


1. The program F runs the programs F; to compute E ok (ce?) based on 
Eq. (6.1)-(6.4). 
2. The program F computes 


Ep (Co) = Ep (Oo, cP,- co), 


according to homomorphic properties described in Sect. 6.3.1. 

If co = 1, M is a matching document. If co = 0, M is not a matching 
document. 

The rest of the construction is the same as FilterExec of the disjunction 
threshold query described in Sect. 6.5.1. 


Remark. All kinds of private threshold queries based on keyword frequency can be 
expressed as pog F = ee, oF ), where oF is either disjunctive, conjunctive, 
or complement threshold query, and operators in ® belong to {v, A, ®}. Therefore, 


the solution supports arbitrary private threshold queries. 


6.6 Performance Analysis 


In the disjunctive construction (Sect. 6.5.1), the client can pre-generates the 
public/private key pair. In addition, the client needs to encrypt the frequency of 
each classified keyword in the phase of the filter program generation and to decrypt 
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the buffer B to retrieve the matching documents after the buffer returns. If one does 
not consider the key generation, the total computation complexity of the client is 
O(d| D|) encryptions to generate the program F and O(m2) decryptions to retrieve 
the matching documents from the buffer, where |D| is the number of words in the 
dictionary D, 24 is the maximal number of words contained in each document, £ 
is the number of bits of each document, and m is the maximal number of matching 
documents in the buffer. 

After receiving the filter program F, the server processes each document M; 
in three steps. We assume u = |M; N D|. At first, the server needs to compute 
Epk(co). The computation complexity of the first step is O(ud) encryptions to 
encrypt jz frequencies with d bits, O (u) homomorphic additions of integers with d 
bits, O (u) homomorphic multiplications of bits, and O(j2) homomorphic additions 
of bits (please refer to Eq. (6.1)). Then, the server needs to add M; into the buffer B 
if M; is a matching document or add 0 into the buffer otherwise. The computation 
complexity of the second step is O (m£?) homomorphic multiplications of bits and 
O(m£?) homomorphic addition of bits. At last, the server needs to update the 
buffer base G. The computation complexity of the third step is O(m) homomorphic 
multiplications of bits and O(1) homomorphic addition of integers with m bits. 

The communication complexity of the disjunctive construction is O(d|D||C |) 
bits for the query and O(m£|C |) bits for response, where |C | is the size of the 
ciphertext. 

Unlike the disjunctive construction, the conjunctive construction (Sect. 6.5.2) 
needs to compute €,x(yo) and then €,,(co). The computation complexity for the 
server to compute Ep (Yo) is O(|D|) homomorphic additions of integers. Although 
the two constructions computes €,;(co) with two different equations (please refer 
to Eqs. (6.1) and (6.2)), their complexities for this computation are almost the same. 

The disjunctive complement construction (Sect. 6.5.3.1) is different from the dis- 
junctive construction in two ways. The query contains an extra array of ciphertexts 
to indicate the complement positions in private and the server computes €p; (co) 
with Eq. (6.3), which is different from Eq. (6.1). The differences do not affect the 
computation complexity of the server, but the computation complexity of the client 
is increased by O(|D]) encryptions of bits and the communication complexity is 
increased by O(|D||C|) bits on the basis of the performance of the disjunctive 
construction. 

Similarly, the conjunctive complement construction (Sect. 6.5.3.2) is different 
from the conjunctive construction in two ways. The differences do not change 
the computation complexity of the server, but the computation complexity of the 
client is increased by O (|D |) encryptions of bits and the communication complexity 
is increased by O(|D||C|) bits on the basis of the conjunctive complement 
construction. 

The performance of the generic construction (Sect. 6.5.4) depends on the 
performance of the underlying basic constructions. 

The performance comparison of the threshold query protocols can be summa- 
rized in Table 6.2, where enc. and dec. stand for encryption and decryption of bit, 
add. and multi. denote the homomorphic addition and multiplication of bits, and 
ADD. represents the homomorphic addition of integers. 
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Table 6.2 Performance comparison 


Comp. Comp. 

complexity complexity Comm. 
Protocols (client) (sever, M;) complexity 
Disjunctive | O(d|D]|) enc. | O(ud) enc. O(d|D||C]) 

+O(mf) dec. | +O(jz) ADD. +O(m£) 


+O(m£? + u) multi. 
+O(ml? + pw) add. 


Conjunctive | Same as Disjunctive Same as 
disjunctive +O(|D|) ADD. disjunctive 
Disjunctive | Disjunctive Same as Disjunctive 
complement | +O(|D]) enc. | disjunctive +O(|D||C]) 
Conjunctive | Disjunctive Same as Disjunctive 
complement | +O(|D]|) enc. | conjunctive +O(|D||C]) 


6.7 Conclusion and Discussion 


On the basis of the state of the art fully homomorphic encryption techniques, 
we describe constructions for disjunctive, conjunctive, and complement threshold 
queries based on keyword frequency and then the construction for the generic 
threshold query based on keyword frequency given by Yi et al. [23]. These protocols 
are semantically secure as long as the underlying fully homomorphic encryption 
scheme is semantically secure. 

The construction for disjunctive threshold query is able to search for documents 
containing at least one of a set of keywords as [1,2, 15, 16] by letting the threshold 
ti = 1 for keyword k; € K. The construction for generic threshold query can search 
for documents M such that (M N Kı 4 Ø) ^A (M N K; # Ø) as [15, 16] by letting 
oF and Oe be two disjunctive threshold queries with the threshold t; = 1 for 
keyword k; € K and DQ, QQ )= oF A QQ . Therefore, their solutions are 
special cases of the protocols given by Yi et al. [23] 

To improve the performance of the constructions, the ciphertext of a bit in the 
final stage of filter program execution can be compressed or post-processed as [6]. 
In this case, the ciphertext of a bit can have the same size as an RSA modulus 
asymptotically. 

Theoretically, any search criteria can be constructed with fully homomorphic 
encryption scheme in private searching on streaming data. Even if so, different 
queries will need different constructions. As long as the underlying fully homo- 
morphic encryption scheme is practical, the protocols will be practical. So far, fully 
homomorphic encryption schemes are impractical for many applications according 
to [11], because ciphertext size and computation time increase sharply as one 
increases the security level. Recently, many research efforts have been devoted to 
construct efficient fully homomorphic encryption schemes, such as the ones by 
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[4, 5,21]. We believe that the protocols for private threshold queries based on 
keyword frequency will be made practical with the performance improvement of 
fully homomorphic encryption techniques in the future. 

Privacy is gaining increasingly higher attention, and future computing paradigms, 
e.g., cloud computing, will only become viable if privacy of users is thoroughly 
protected. For example, Google Alerts is a service offered by Google which notifies 
its users by e-mail, or as a feed, about the latest Web and news pages of their choice. 
As in the case of the AOL search data leak, it is not hard to imagine queries which 
could be privacy sensitive. With the private searching solutions, it is possible for 
a user to make a filtering program according to the frequencies of some classified 
keywords and submit it to Google, which executes the program on all latest Web 
and news pages. The program can notify to the user its discovery according to the 
search criteria specified by the user. While the program is executed by Google, the 
search criteria of the user can be kept confidential to Google. 
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